Vulnerabilities discovered in five WooCommerce WordPress plugins

The US government’s National Vulnerability Database (NVD) has published a vulnerability warning in five WooCommerce WordPress plugins affecting more than 135,000 installations.

Many of the vulnerabilities are rated critical to critical, with a rating of 9.8 on a scale of 1-10.

Each vulnerability is assigned a CVE identification number (Common Vulnerabilities and Exposures), which is used to discover vulnerabilities.

1. Advanced Order Export for WooCommerce

Advanced Order Export for WooCommerce plugin installed in 100,000+ websites is vulnerable to Cross-Site Request Forgery (CSRF) attack.

A Cross-Site Request Forgery (CSRF) vulnerability is caused by a flaw in a website plug-in that could allow an attacker to trick a website user into taking an unexpected action.

Web browsers often contain cookies that tell a website that a user is registered and logged in. An attacker can assume the privilege level of an administrator. This gives attackers full access to the website, exposing sensitive customer information, and more.

This particular vulnerability could result in export file downloads. The vulnerability description does not describe what files an attacker could download.

Given that the purpose of the plugin is to export WooCommerce order data, it is reasonable to assume that order data is a file type that an attacker can access.

Official vulnerability description:

“A cross-site request forgery (CSRF) vulnerability in Advanced Order Export for WooCommerce plugins <= 3.3.2 on WordPress caused the export file to be downloaded."

The vulnerability affects all Advanced Order Export versions of the WooCommerce plugin lower than or equal to version 3.3.2.

The plugin’s official changelog states that the bug was patched in version 3.3.3.

Read more in the National Vulnerability Database (NVD): CVE-2022-40128

2. Advanced Dynamic Pricing for WooCommerce

The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce, which is installed on more than 20,000 websites.

The plugin was found to have two cross-site request forgery (CSRF) vulnerabilities, affecting all plugin versions lower than 4.1.6.

The purpose of this plugin is to facilitate merchants to create discounts and pricing rules.

The first vulnerability (CVE-2022-43488) could lead to “Rule Type Migration

It’s a bit vague. It might be hypothesized that the vulnerability might be related to the ability to change pricing rules.

Official description provided by NVD:

“A cross-site request forgery (CSRF) vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulted in rule type migration."

Read more on NVD: CVE-2022-43488

NVD has assigned a CVE number, CVE-2022-43491, to the second CSRF vulnerability in the WooCommerce plugin’s Advanced Dynamic Pricing.

NVD’s official description of the vulnerability is:

“A cross-site request forgery (CSRF) vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress caused plugin settings to be imported."

The official plugin changelog notes:

“Changelog – 4.1.6 – 2022-10-26

Fixed some CSRF and broken access control vulnerabilities”

Read the official NVD advisory: CVE-2022-43491

3. Premium Coupons for WooCommerce Coupons Plugin

The third affected plugin, Advanced Coupons for WooCommerce Coupons, had more than 10,000 installations.

The problem discovered by this plugin is also a CSRF vulnerability, affecting all versions below 4.5.01.

The plugin changelog refers to the patch as Bug fixes?

“4.5.0.1

Bugfix: Getting started notifications fired for AJAX requests without a nonce. “

The official description of NVD is:

“A Cross-Site Request Forgery (CSRF) vulnerability exists in Advanced Coupons for the WooCommerce Coupons plugin <= 4.5 on WordPress, resulting in rejected notifications."

Read more on NVD: CVE-2022-43481

4. WooCommerce Dropshipping by OPMC – Key

The fourth affected software is the WooCommerce Dropshipping plugin for OPMC, which has more than 3,000 installations.

Versions of this plugin earlier than 4.4 contain an unauthenticated SQL injection vulnerability rated 9.8 on a scale of 1-10 and marked critical.

Typically, SQL injection vulnerabilities allow attackers to manipulate WordPress databases and gain administrator-level privileges, alter the database, delete the database, or even download sensitive data.

NVD describes this particular plugin vulnerability:

“The WooCommerce Dropshipping WordPress plugin prior to 4.4 did not properly sanitize and escape parameters before using it in SQL statements via REST endpoints available to unauthenticated users, resulting in SQL injection.”

Read more on NVD: CVE-2022-3481

Read the official plugin changelog.

5. WooCommerce Role Based Pricing

The WooCommerce plugin’s role-based pricing has two cross-site request forgery (CSRF) vulnerabilities. This plugin has 2,000 installs.

As another plugin mentioned, CSRF vulnerabilities usually involve an attacker tricking an administrator or other user into clicking a link or performing other actions. This could allow an attacker to gain access to a user’s website permission level.

This vulnerability is rated 8.8 High.

The NVD description for the first vulnerability warns:

“Role-based pricing for WooCommerce WordPress plugins prior to 1.6.2 did not have authorization and proper CSRF checks, and did not validate files to be uploaded, allowing any authenticated user (such as a subscriber) to upload arbitrary files, such as PHP”

The following is the official NVD description of the second vulnerability:

“Role-based pricing for WooCommerce WordPress plugins prior to 1.6.3 did not have authorization and proper CSRF checks, nor did it validate the path given through user input, allowing any authenticated user (such as a subscriber) to perform a PHAR when they could upload Deserialize attack files, there is a suitable gadget chain on the blog”

Official Role-Based Pricing Advice from the WooCommerce WordPress Plugin Changelog The plugin is fully patched in version 1.6.2:

“Changelog 2022-10-01 – Version 1.6.2

* Fixed arbitrary file upload vulnerability.

* Fixed ajax nonce check issue. “

Read the official NVD documentation:

CVE-2022-3537

CVE-2022-3536

course of action

It is considered good practice to update all vulnerable plugins. It’s also best practice to back up your site before doing any plugin updates, and (if possible) to stage your site and test plugins before updating.


Featured Image Shutterstock/Master1305

window.addEventListener( ‘load’, function() {
setTimeout(function(){ striggerEvent( ‘load2’ ); }, 2000);
});

window.addEventListener( ‘load2’, function() {

if( sopp != ‘yes’ && addtl_consent != ‘1~’ && !ss_u ){

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);

if( typeof sopp !== “undefined” && sopp === ‘yes’ ){
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
}else{
fbq(‘dataProcessingOptions’, []);
}

fbq(‘init’, ‘1321385257908563’);

fbq(‘track’, ‘PageView’);

fbq(‘trackSingle’, ‘1321385257908563’, ‘ViewContent’, {
content_name: ‘woocommerce-vulnerabilities’,
content_category: ‘news wp’
});
}
});

Leave a Reply

Your email address will not be published. Required fields are marked *