If you have ever owned an eCommerce website, there is almost cent percent probability that you must have heard about WooCommerce, the popular plugin for eCommerce websites. Powering over 35% of the eCommerce websites on the internet, and with more than 4 million installations, WooCommerce is one of the most trusted plugin for users looking to have an online store of their own. If you are a WooCommerce plugin user, then there is some important news which you shouldn’t miss.
Simon Scannell, a researcher at RIPS Technologies GmbH, discovered a vulnerability in the plugin (credits to HackerNews for finding the blogpost), which reportedly allows a malicious or compromised privileged user to gain full control over the website, provided they are using the unpatched version of the plugin. The vulnerability’s description in Simon’s blog reads as follows:
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.
Simon further reveals technical details about the exploit in his blogpost. He reveals how Wordpress automatically allows accounts with the “edit_users” permission to edit the credentials of an administrator account as well. But, plugins like WooCommerce incorporate meta capabilities, which are implemented as functions, and whose return value decides whether or not the current user can perform that action. This prevents the Shop Managers from editing administrator accounts.
The main drawback of the way in which Wordpress handles these account privileges, is that the meta capabilities of the given plugin gets executed if and only if the plugin is active. If by any chance, the WooCommerce plugin gets disabled, then all the user accounts with the “edit_users” permission will be able to fiddle with the administrator accounts as well, and hence take over the entire website.
Although, only administrators can disable plugins, an arbitrary file deletion vulnerability in WooCommerce allows shop managers to delete any file on the server that is writable. This vulnerability can be used to disable WooCommerce itself, and thereby get rid of all the restrictions on the shop manager account, since “By deleting the main file of WooCommerce,
woocommerce.php, WordPress will be unable to load the plugin and then disables it” as Simon says in his blog.
While the vulnerability is pretty critical, the good news is that it is patched in version 3.4.6 of WooCommerce, last month. If you use WooCommerce in your website, it is highly recommended that you update your WooCommerce plugin and Wordpress itself too, to make sure you get rid of the aforesaid vulnerability.