XSS Vulnerability Fixed in the WordPress WooCommerce Plugin
A stored XSS vulnerability, which allowed attackers to execute malicious code in the user’s browser, was discovered and patched in the WordPress WooCommerce plugin.
The vulnerability was discovered by Fortinet’s FortiGuard Labs and affects all WooCommerce installations before and including version 2.4.8.
WooCommerce is a plugin for the WordPress CMS, which allows administrators to run an online store on top of the blogging platform.
WooThemes initially developed the plugin, but Automattic, the company that runs WordPress, purchased it over the summer. At this moment, Automattic reports that WooCommerce has over 1 million active installations and claims that it’s used for over 30% of all the online stores running on WordPress.
Stored XSS in the product price section
The vulnerability, as described by Fortinet, is found in the input field for the product’s sale price, in the store’s backend. An attacker that has gained access to the WP backend can enter malicious code inside this field, which is not properly filtered and will store the attacker’s full code in the WordPress database.
When a user accesses a page with malicious code added to the price section, they are exposed to whatever attack the hackers may have concocted.
No interaction is needed, and in some cases, attackers don’t even need to hack and compromise other WP stores. They can simply install their own WooCommerce store, add the malicious code to fake product pages, and then launch a spam campaign.
Every user who reaches the infected page would be exposed to the XSS attacks.
Lower-ranked users can take advantage of this vulnerability
This type of indirect attack is possible, but the first version is much more dangerous since attackers can steal cookies or redirect users to exploit kits from websites with a higher reputation and user following.
Since any user that has “editing” rights on a WordPress site can also edit WooCommerce store pages, attackers don’t specifically need to compromise admin accounts.
Automattic has released WooCommerce 2.4.10 to fix the stored XSS issue.