The owners and administrators of WordPress-powered e-commerce websites and the WooCommerce platform have been warned of vulnerability exploitation attacks recently discovered in a discount plugin by researchers.
Researchers at the Web security company WebARX found the vulnerabilities on August 7 in Discount Rules for WooCommerce, a plugin that has been deployed on over 30,000 websites and that enables users to generate different types of discounts for their items. With the release of version 2.1.0 the developer fixed the vulnerabilities within a week.
However, it is now critical that website administrators upgrade the plugin as WebARX says it is seeing the vulnerabilities exploiting the assault.
The vulnerabilities were identified as SQL injection, stored cross-site scripting (XSS), and issues related to the authorization. Exploitation of the stored XSS vulnerability could allow the execution of arbitrary code by an unauthenticated attacker.
WebARX told that, by searching for the “woocommerce” string in their source code, an attacker trying to exploit the vulnerabilities will have to scan the internet for affected WordPress websites first. Once they have identified a possible target they will give it a malicious payload.
The cybercriminals inject a JavaScript file into the attacks observed by WebARX that redirects visitors to their own site, which most likely contains advertisements and malware.
“Since the issue allows the attacker to insert the payload into any template hook(s) they want, it may be used to cause other exploits if the site has other insecure plugins enabled but we haven’t seen the payload yet,” explained WebARX. “Because HTML / JavaScript can be inserted into any template hook, this could be misused to perform inappropriate behavior on the site ‘s administration pages and thus potentially lead to remote execution of code.”
A recent WebARX report showed web professionals are increasingly worried about the protection of websites. About 43 per cent of respondents who took part in the company’s survey said they saw an rise in assaults, and a fifth of them saw a website hacked in the month leading up to the study.
Lack of information, blocking and preventing attacks, vulnerabilities in plug-in and third-party code, software updates, and client awareness were the top challenges professionals cited when dealing with website security.
