WordPress users that own an eCommerce website powered by WooCommerce plugin should know that their online store could be compromised.
WooCommerce is a widely-used WordPress plugin that powers almost 35% of all e-stores and has over 4 million installations.
A security researcher at RIPS Technologies GmbH, Simon Scannell has discovered an arbitrary file deletion flaw in the WooCommerce plugin. The vulnerability could allow malicious actors to access and gain control over the unpatched online stores.
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.
The researcher reveals in the blog post technical details about the exploit.
WordPress automatically enables accounts with the edit_users permission to adjust settings, including the credentials of an admin account. However, WooCommerce plugin incorporate meta capabilities or function that controls if the user can adjust such settings, preventing the Shop Manager from editing admin accounts.
Vulnerability in WooCommerce plugin
The researcher illustrates the exploiting WooCommerce file-deletion and WordPress design vulnerabilities.
The video demonstrates how WordPress handles user privileges and the file-deletion flaw in the plugin, enabling an account with a manager permissions to reset administrator’s credentials and take a full control over the website.
Simon Scannell revealed that if the administrator user disables the WooCommerce plugin, the configuration which caused the limitation does not work and Shop Manager accounts are able to edit and reset the administrator credentials. The researcher indicates that a malicious manager account can disable the WooCommerce plugin by exploiting a file deletion flaw in the logging feature.
This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it.
Once the malicious shop manager deletes the file, the WooCommerce plugin also gets disabled. In this case, shop managers are able to update passwords for the administrator account and then take over the access and control for the e-shop.
Users are recommended to install WooCommerce and WordPress patch Updates
The vulnerability was reported to the managers of the WooCommerce plugin, Automattic security team. The flaw was fixed in WooCommerce version 3.4.6.
If you are running an earlier version of the WooCommerce plugin, make sure to update your WordPress and WooCommerce as soon as possible.