Update now! WordPress sites vulnerable to WooCommerce plugin flaw – Naked Security
Researchers have revealed main points of a deadly flaw in the way in which the massively common WooCommerce plugin interacts with WordPress that would permit an attacker with get entry to to a unmarried account to take over a whole website online.
WooCommerce’s 4 million plus customers had been first alerted to the problem a couple of weeks again within the unlock notes for the up to date model:
Versions three.four.five and previous are suffering from a handful of problems that permit Shop Managers to exceed their features and carry out malicious movements.
This week, PHP safety corporate RIPS Technologies revealed the analysis that led to this caution which supplies WooCommerce and WordPress admins extra of the gory element.
There are two portions to the vulnerability, the primary of which the researchers describe as a “design flaw in the privilege system of WordPress.”
The 2nd, in WooCommerce itself, is an it sounds as if easy record deletion vulnerability affecting variations three.four.five and previous.
Which of the 2 is the larger factor depends upon whether or not you concern extra a couple of website online’s e-commerce serve as or occur to be its admin – both method, the combo spells bother.
After gaining get entry to by way of a phishing assault or as an within task, an attacker may just use a weak point within the log record deletion regimen to delete woocommerce.php, taking down the website online and inflicting WordPress to disable the plugin.
This, RIPS Technologies researcher Simon Scannell came upon, can be sufficient for any WooCommerce person with a Shop Manager account and an working out of what they’d simply finished to compromise all of the website online.
When WooCommerce is put in, the Shop Manager function is assigned the potent edit_users capacity wanted to edit buyer accounts, which is saved by way of WordPress itself.
Because this may well be used to edit the WordPress website online’s admin account too, its scope is restricted by way of a different WooCommerce ‘meta capability’ filter out.
Unfortunately, for WordPress to follow this safeguard the plugin wishes to be energetic – which it wouldn’t be if an attacker has exploited the WooCommerce record deletion weak point.
The meta privilege take a look at which restricts store managers from modifying directors would no longer execute and the default conduct of permitting customers with edit_users to edit any person, even directors, would happen.
The WooCommerce account with Shop Manager privileges would then be in a position to lift those to trade the website online’s password and with it regulate of all of the website online.
What to do
On the WooCommerce facet, be certain that it’s been upgraded to model three.four.6, which seemed on 11 October. Plugins aren’t up to date by way of default, this means that admins could have to start up this for themselves by way of the wp-admin dashboard/plugins sidebar.
As for the WooCommerce repair:
With this unlock, Shop Managers can handiest edit customers with the Customer function by way of default, and there’s a whitelist of roles that Shop Managers can edit.
Redesigning the way in which the WordPress permission device interacts with plugins may take somewhat longer.
For causes so long as your arm, plugins have at all times been WordPress’s underbelly. The TL;DR is that they want consistent tending as does the platform itself – by no means take both with no consideration.