- Network Status
- Contact Us
The Wordfence Threat Intelligence team was made aware, on August 20, 2020, of several vulnerabilities in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. Discount Rules for WooCommerce is a WordPress plugin designed to work with the WooCommerce e-Commerce plugin to create custom rules for discounts.
In response, Wordfence released a firewall rule which protects against these vulnerabilities on the same day. During their investigation, they also discovered a completely separate group of vulnerabilities in that plugin which weren't yet patched. A firewall rule to protect against these separate vulnerabilities were released the next day, August 21, 2020.
After being contacted by Wordfence - who disclosed the full vulnerability - Flycart responded that they were aware of one of the issues, releasing an interim patch on August 22, 2020. Flycart then released a more comprehensive patch on September 2, 2020 as well as a patch which addressed the rest of the issues on September 9, 2020.
The vulnerabilities could enable attackers to view all of the available coupons on a website and activate, duplicate, and delete discount rules. At least two of the actions, "savePriceRule" and "saveCartRule" were also vulnerable to stored Cross-Site Scripting(XSS) in several of the rule fields. Obviously this could lead to financial and reputational costs to affected ecommerce sites.
It is strongly recommend that WooCommerce users, using this plugin update it to the latest version, v2.2.1 ASAP, to avoid potentially severe consequences.
A full description of the vulnerabilities, mitigation and patches can be found on the Wordfence website.
Powered by WHMCompleteSolution