The U.S government Nationwide Vulnerability Database (NVD) published warnings of vulnerabilities in 5 WooCommerce WordPress plugins impacting above 135,000 installations.
Numerous of the vulnerabilities variety in severity to as substantial as Important and rated 9.8 on a scale of 1-10.
Each and every vulnerability was assigned a CVE id selection (Popular Vulnerabilities and Exposures) given to found out vulnerabilities.
1. Innovative Get Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, installed in around 100,000 internet websites, is vulnerable to a Cross-Website Ask for Forgery (CSRF) assault.
A Cross-Internet site Ask for Forgery (CSRF) vulnerability occurs from a flaw in a web page plugin that allows an attacker to trick a website user into carrying out an unintended motion.
Website browsers normally incorporate cookies that convey to a site that a person is registered and logged in. An attacker can suppose the privilege amounts of an admin. This gives the attacker complete access to a internet site, exposes sensitive purchaser information and facts, and so on.
This certain vulnerability can lead to an export file down load. The vulnerability description doesn’t describe what file can be downloaded by an attacker.
Specified that the plugin’s function is to export WooCommerce buy information, it may possibly be affordable to assume that purchase facts is the kind of file an attacker can obtain.
The official vulnerability description:
“Cross-Site Ask for Forgery (CSRF) vulnerability in Sophisticated Purchase Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”
The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin that are less than or equal to version 3.3.2.
The official changelog for the plugin notes that the vulnerability was patched in version 3.3.3.
Read more at the National Vulnerability Database (NVD): CVE-2022-40128
2. Advanced Dynamic Pricing for WooCommerce
The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce which is installed in over 20,000 websites.
This plugin was discovered to have two Cross-Site Request Forgery (CSRF) vulnerabilities that affect all plugin versions less than 4.1.6.
The purpose of the plugin is to make it easy for merchants to create discount and pricing rules.
The first vulnerability (CVE-2022-43488) can lead to a “rule type migration.”
That’s somewhat vague. Perhaps an assumption can be made that the vulnerability may have something to do with the ability to change the pricing rules.
The official description provided at the NVD:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.”
Read more at the NVD: CVE-2022-43488
The NVD assigned the second CSRF vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin a CVE number, CVE-2022-43491.
The official NVD description of the vulnerability is:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.”
The official plugin changelog notes:
“Changelog – 4.1.6 – 2022-10-26
Fixed some CSRF and broken access control vulnerabilities”
Read the official NVD announcement: CVE-2022-43491
3. Advanced Coupons for WooCommerce Coupons plugin
The third affected plugin, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs.
The problem discovered in this plugin is also a CSRF vulnerability and affects all versions less than 4.5.01.
The plugin changelog calls the patch a bug fix?
Bug Fix: The getting started notice dismiss AJAX request has no nonce value.”
The official NVD description is:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.”
Read more at the NVD: CVE-2022-43481
4. WooCommerce Dropshipping by OPMC – Critical
The fourth affected software is the WooCommerce Dropshipping by OPMC plugin which has over 3,000 installations.
Versions of this plugin less than version 4.4 contain an Unauthenticated SQL injection vulnerability rated 9.8 (on a scale of 1-10) and labeled as Critical.
In general, a SQL injection vulnerability allows an attacker to manipulate the WordPress database and assume admin-level permissions, make changes to the database, erase the database, or even download sensitive data.
The NVD describes this specific plugin vulnerability:
“The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.”
Read more at the NVD: CVE-2022-3481
Read the official plugin changelog.
5. Role Based Pricing for WooCommerce
The Role Based Pricing for WooCommerce plugin has two Cross-Site Request Forgery (CSRF) vulnerabilities. There are 2,000 installations of this plugin.
As mentioned about another plugin, a CSRF vulnerability generally involves an attacker tricking an admin or other user to click a link or perform some other action. That can result in the attacker gaining the user’s website permission levels.
This vulnerability is rated 8.8 High.
The NVD description of the first vulnerability warns:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP”
The following is the official NVD description of the second vulnerability:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog”
The official Role Based Pricing for WooCommerce WordPress plugin changelog advises that the plugin is fully patched in version 1.6.2:
“Changelog 2022-10-01 – version 1.6.2
* Fixed the Arbitrary File Upload Vulnerability.
* Fixed the issue of ajax nonce check.”
Read the official NVD documentation:
Course of Action
It is considered a good practice to update all vulnerable plugins. It’s also a best practice to back up the site before making any plugin updates and (if possible) to stage the site and test the plugin before updating.
Featured image by Shutterstock/Master1305
window.addEventListener( 'load', function() setTimeout(function() striggerEvent( 'load2' ) , 2000) )
window.addEventListener( 'load2', function()
if( sopp != 'yes' && addtl_consent != '1~' && !ss_u )
!function(f,b,e,v,n,t,s) if(f.fbq)returnn=f.fbq=function()n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments) if(!f._fbq)f._fbq=nn.push=nn.loaded=!0n.version='2.0' n.queue=t=b.createElement(e)t.async=!0 t.src=vs=b.getElementsByTagName(e) s.parentNode.insertBefore(t,s)(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js')
if( typeof sopp !== "undefined" && sopp === 'yes' ) fbq('dataProcessingOptions', ['LDU'], 1, 1000) else fbq('dataProcessingOptions', )
fbq('trackSingle', '1321385257908563', 'ViewContent', content_name: 'woocommerce-vulnerabilities', content_category: 'news wp' )