Vulnerable WordPress plugin leaves online shoppers vulnerable

Vulnerable WordPress plugin leaves online shoppers vulnerable

The most popular web content management system (CMS) is WordPress, which is used by more than 30% of all websites. By extension, the most popular ecommerce platform in the world is WooCommerce, a plugin that turns a WordPress website into an online shop. In fact, WooCommerce is so popular that it isn’t just part of WordPress’s software ecosystem, it also has a software ecosystem of its very own too.

There are hundreds of WordPress plugins that are designed to work with or extend the WooCommerce plugin in some way, and many of them are mature commercial software products in their own right. One such product is a popular extension called WooCommerce Dynamic Pricing and Discounts, which sells for a little less than $70 and has been purchased almost 20,000 times.

If your site is running that plugin, you need to update it to version 2.4.2 immediately.

Researchers recently discovered multiple security vulnerabilities affecting version 2.4.1 and below. These vulnerabilities have been fixed in version 2.4.2, which was released on August 22, 2021.

The vulnerabilities

The first vulnerability is a high-severity stored cross-site scripting (XSS) bug. Cross-site scripting (XSS) is a type of security vulnerability that lets attackers inject client-side scripts into web pages viewed by other users.

The researchers found that the vulnerable code missed two important checks: A capability check that ensures a user is authorized to do a particular thing, and a security nonce (short for “number once”) that tries to ensure a web request is asked and answered by the same site, and that the request didn’t come from an imposter running a cross-site request forgery (CSRF) attack.

Without a capability check the vulnerable function—which allowed users to import plugin settings—was available to anyone, including an attacker. Because some of the setting fields weren’t sanitized, an attacker could use the vulnerability to inject JavaScript code into the imported JSON-encoded file.

The second vulnerability exists in the plugin’s settings export functionality, which was also missing a capability check. In this case an unauthenticated attacker can export the plugin’s settings, inject JavaSript code into the resulting JSON file and then reimport the settings, including the malicious JavaScript, using the first vulnerability.

The possible consequences

JavaScript code can be used to perform all kinds of malicious activity, from stealing cookies to spreading malware. In this case it’s also possible to replace the JavaScript code with HTML tags, such as a Meta Refresh tag that could be used to redirect visitors to a malicious website for instance.

Because the code injected via the settings import into WooCommerce Dynamic Pricing and Discounts is run on every product page of a WooCommerce shop, it looks like an ideal vulnerability for credit card skimmers (malicious code that reads your credit card details when they are entered them into the checkout form).

As we reported last year, WooCommerce is increasingly being targeted by criminals, because of its large market share. We asked Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, and an avid follower of skimmers, how groups that use them would react to vulnerabilities like these.

“Two common mistakes website owners often make is to leave their Content Management System (CMS) unpatched and believe they are not an interesting target. In many cases, users may choose not to apply security updates as they fear that it may introduce bugs or even break a website from loading properly. While this is true, it creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.

Magento, WooCommerce and several other CMSes are constantly being abused for a number of reasons. If your website does e-commerce, it becomes even more interesting as threat actors can not only target you but also your customers and their financial data in attacks such as Magecart.

Applying updates promptly is a necessity, and if for one reason of another it’s not possible, other solutions such as Web Application Firewalls exist to block known and unknown automated attacks.”

Mitigation

When using a CMS, and especially a popular one, you will have to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.

To do your online shopping safely it is advisable to take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.