Beware WordPress Site Owners using WooCommerce Discounts Plugin
Published on : Tuesday 25-08-2020
Discount Rules for WooCommerce helps to create any type of bulk discounts, dynamic pricing, advanced discounts, percentage discounts, product-based discounts, tiered discounts for business’s products. You can set discounts for products and product variations using it. You can also set discounts based on categories, attributes, customers, user roles in the pro version. These discounts will be visible at product pages, product details pages, carts, checkouts and also in email notifications.
What is WooCommerce Discounts Plugin Vulnerability?
Security researchers recently warned the administrators and owners of the WordPress based e-commerce websites using the WooCommerce platforms, as there are cyber-attacks exploiting vulnerabilities in this discount plugin.
This flaw has Multiple Vulnerabilities In Discount Rules for WooCommerce Plugin which consists of SQLi and unauthenticated stored XSS vulnerabilities in Discount Rules for WooCommerce WordPress plugin. The Discount Rules for WooCommerce plugin (versions 2.0.2 and below) suffers from multiple vulnerabilities such as SQL injection, authorization issues and unauthenticated stored cross-site scripting where the unauthenticated stored cross-site scripting issue could potentially lead to remote code execution. These flaws were identified on 7th August 2020 by the researchers at web security company WebARX. It got published on 20th August 2020.
In the attacks analyzed by WebARX, the cybercriminals are injecting a JavaScript file that redirects visitors to their own site, which most likely contains advertisements and malware.
According to their study, since the issue allows the attacker to inject the payload into any template hook(s) they desire, it could be used to trigger other exploits if the site has other vulnerable plugins installed but we have not seen such payload yet. Also, since HTML/JavaScript can be injected into any template hook, this could be abused to execute unwanted actions on the administration pages of the site and thus potentially leading to remote code execution.
Attention to this flaw is important to many as this plugin has been installed on more than 30,000 websites.
What is the solution?
Good news is the developers have patched these vulnerabilities within a week with the release of version 2.1.0.
If you are using this plugin in your wordpress site, your website administrators must update the plugin as soon as possible; as according to WebARX, it has been seeing attacks exploiting the vulnerabilities.
WebARX told SecurityWeek that an attacker looking to exploit the vulnerabilities would first have to crawl the internet for affected WordPress websites by looking for the “woocommerce” string in their source code. Once a potential target has been found, they can send it a malicious payload.
Anyone can build website or any software, but only few professionals can build Cyber-secured website or software applications; as they understand importance of security coding practices.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development, Telecommunication Solutions and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.