The owners and administrators of WordPress-powered e-commerce websites and the WooCommerce platform have been warned of vulnerability exploitation attacks recently discovered in a discount plugin by researchers.
Researchers at the Web security company WebARX found the vulnerabilities on August 7 in Discount Rules for WooCommerce, a plugin that has been deployed on over 30,000 websites and that enables users to generate different types of discounts for their items. With the release of version 2.1.0 the developer fixed the vulnerabilities within a week.
However, it is now critical that website administrators upgrade the plugin as WebARX says it is seeing the vulnerabilities exploiting the assault.
The vulnerabilities were identified as SQL injection, stored cross-site scripting (XSS), and issues related to the authorization. Exploitation of the stored XSS vulnerability could allow the execution of arbitrary code by an unauthenticated attacker.
WebARX told that, by searching for the “woocommerce” string in their source code, an attacker trying to exploit the vulnerabilities will have to scan the internet for affected WordPress websites first. Once they have identified a possible target they will give it a malicious payload.
A recent WebARX report showed web professionals are increasingly worried about the protection of websites. About 43 per cent of respondents who took part in the company’s survey said they saw an rise in assaults, and a fifth of them saw a website hacked in the month leading up to the study.
Lack of information, blocking and preventing attacks, vulnerabilities in plug-in and third-party code, software updates, and client awareness were the top challenges professionals cited when dealing with website security.