WooCommerce Site Hacked – Plugin Vulnerabilities 2022
Vulnerabilities discovered in five WooCommerce WordPress plugins with over 135,000 installations
The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations.
Many of the vulnerabilities range in severity to as high as Critical and rated 9.8 on a scale of 1-10.
Every vulnerability was assigned a CVE identity number (Common Vulnerabilities and Exposures) given to discovered vulnerabilities.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, installed in over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
A Cross-Site Request Forgery (CSRF) vulnerability arises from a flaw in a website plugin that allows an attacker to trick a website user into performing an unintended action.
Website browsers typically contain cookies that tell a website that a user is registered and logged in. An attacker can assume the privilege levels of an admin. This gives the attacker full access to a website, exposes sensitive customer information, and so on.
This specific vulnerability can lead to an export file download. The vulnerability description doesn’t describe what file can be downloaded by an attacker.
Given that the plugin’s purpose is to export WooCommerce order data, it may be reasonable to assume that order data is the kind of file an attacker can access.
The official vulnerability description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”
The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin that are less than or equal to version 3.3.2.
The official changelog for the plugin notes that the vulnerability was patched in version 3.3.3.
2. Advanced Dynamic Pricing for WooCommerce
The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce which is installed in over 20,000 websites.
This plugin was discovered to have two Cross-Site Request Forgery (CSRF) vulnerabilities that affect all plugin versions less than 4.1.6.
The purpose of the plugin is to make it easy for merchants to create discount and pricing rules.
The first vulnerability (CVE-2022-43488) can lead to a “rule type migration.”
That’s somewhat vague. Perhaps an assumption can be made that the vulnerability may have something to do with the ability to change the pricing rules.
The official description provided at the NVD:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.”
Read more at the NVD: CVE-2022-43488
The NVD assigned the second CSRF vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin a CVE number, CVE-2022-43491.
The official NVD description of the vulnerability is:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.”
The official plugin changelog notes:
“Changelog – 4.1.6 – 2022-10-26
Fixed some CSRF and broken access control vulnerabilities”
3. Advanced Coupons for WooCommerce Coupons plugin
The third affected plugin, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs.
The problem discovered in this plugin is also a CSRF vulnerability and affects all versions less than 4.5.01.
Bug Fix: The getting started notice dismiss AJAX request has no nonce value.”
The official NVD description is:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.”
4. WooCommerce Dropshipping by OPMC – Critical
The fourth affected software is the WooCommerce Dropshipping by OPMC plugin which has over 3,000 installations.
Versions of this plugin less than version 4.4 contain an Unauthenticated SQL injection vulnerability rated 9.8 (on a scale of 1-10) and labeled as Critical.
In general, a SQL injection vulnerability allows an attacker to manipulate the WordPress database and assume admin-level permissions, make changes to the database, erase the database, or even download sensitive data.
The NVD describes this specific plugin vulnerability:
“The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.”
5. Role Based Pricing for WooCommerce
The Role Based Pricing for WooCommerce plugin has two Cross-Site Request Forgery (CSRF) vulnerabilities. There are 2,000 installations of this plugin.
As mentioned about another plugin, a CSRF vulnerability generally involves an attacker tricking an admin or other user to click a link or perform some other action. That can result in the attacker gaining the user’s website permission levels.
This vulnerability is rated 8.8 High.
The NVD description of the first vulnerability warns:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP”
The following is the official NVD description of the second vulnerability:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog”
The official Role Based Pricing for WooCommerce WordPress plugin changelog advises that the plugin is fully patched in version 1.6.2:
“Changelog 2022-10-01 – version 1.6.2
* Fixed the Arbitrary File Upload Vulnerability.
* Fixed the issue of ajax nonce check.”
Course of Action
It is considered a good practice to update all vulnerable plugins. It’s also a best practice to back up the site before making any plugin updates and (if possible) to stage the site and test the plugin before updating.