High Severity Vulnerabilities found in WooCommerce

  • Sunday, 20th September, 2020
  • 12:43pm

The Wordfence Threat Intelligence team was made aware, on August 20, 2020, of several vulnerabilities in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. Discount Rules for WooCommerce is a WordPress plugin designed to work with the WooCommerce e-Commerce plugin to create custom rules for discounts.

In response, Wordfence released a firewall rule which protects against these vulnerabilities on the same day. During their investigation, they also discovered a completely separate group of vulnerabilities in that plugin which weren't yet patched. A firewall rule to protect against these separate vulnerabilities were released the next day, August 21, 2020.

After being contacted by Wordfence - who disclosed the full vulnerability - Flycart responded that they were aware of one of the issues, releasing an interim patch on August 22, 2020. Flycart then released a more comprehensive patch on September 2, 2020 as well as a patch which addressed the rest of the issues on September 9, 2020.

The vulnerabilities could enable attackers to view all of the available coupons on a website and activate, duplicate, and delete discount rules. At least two of the actions, "savePriceRule" and "saveCartRule" were also vulnerable to stored Cross-Site Scripting(XSS) in several of the rule fields. Obviously this could lead to financial and reputational costs to affected ecommerce sites.

Timeline

  • 20/08/2020 – The Wordfence Threat Intelligence team was made aware of a vulnerability in Discount Rules for WooCommerce. Wordfence released a firewall rule to their Wordfence Premium users which addressed this vulnerability and also discovered a separate unpatched vulnerability.
  • 21/08/ 2020 – Wordfence released a firewall rule for the unpatched vulnerability to Wordfence Premium users, contacted Flycart, the plugin’s developers, and sent them the disclosure.
  • 22/08/2020 – Flycart released an interim patch preventing unauthorized users from switching between the ‘v1’ and ‘v2’ codebase and replied to Wordfence's disclosure, to advise that they were working on a patch.
  • 02/09/2020 – Flycart released a patch that mostly mitigated against the vulnerabilities but which left the version switching functionality vulnerable to CSRF attacks.
  • 09/09/2020 – Flycart released a final patch that addressed all vulnerabilities.
  • 19/09/2020 – The initial firewall rule was made available to Wordfence Free users.
  • 20/09/2020 – The second firewall rule was made available to Wordfence Free users.

It is strongly recommend that WooCommerce users, using this plugin update it to the latest version, v2.2.1 ASAP, to avoid potentially severe consequences.

A full description of the vulnerabilities, mitigation and patches can be found on the Wordfence website.

Originally posted in Research, Vulnerabilities, WordPress Security on September 17, 2020 by Ram Gall

« Back

Powered by WHMCompleteSolution