Recently, the Discount Rules for WooCommerce Plugin has made it to the news owing to multiple vulnerabilities. Exploiting these flaws could allow remote code execution by a potential attacker. The flaws threatened the security of thousands of WooComerce online stores.
Discount Rules for WooCommerce Plugin Vulnerabilities
Researchers from WebARX Security have found multiple security vulnerabilities in the Discount Rules for WooCommerce Plugin. These bugs could lead to serious damages to thousands of websites.
Sharing the details in a blog post, the researchers revealed that they found SQL injection, cross-site scripting (XSS), and authorization issues in the plugin. Eventually, exploiting the flaws could even lead to remote code execution attacks on target websites.
The bugs existed due to the absence of authorization checks and nonce token. Hence, any unauthenticated user could possibly perform various actions.
As stated in the post,
The plugin registers several AJAX actions of which one,
wp_ajax_wdr_ajax
, handles a bulk of different AJAX actions which are supposedly only be accessed by administrators.
Unfortunately this AJAX action is also registered aswp_ajax_nopriv_wdr_ajax
. Even ifwp_ajax_nopriv_wdr_ajax
was not registered, authenticated users could still exploit this sincewp_ajax_wdr_ajax
does not perform any type of authorization or CSRF check.
Briefly, the possible actions an attacker could perform after exploit include retrieval of user lists, list of coupon codes, updating configuration settings, saving, duplicating, or deleting a discount rule individually or in bulk.
Exploitation Attempts Detected – Patch Now
The Discount Rules for WooCommerce plugin boasts over 30,000 active installations at present. It means the vulnerabilities potentially threatened thousands of WooCommerce stores.
Following the discovery of the flaws, the researchers reached out to the developers to report the matter. Eventually, they patched the bugs with the release of plugin version 2.1.0.
However, even after the fix, numerous websites remained vulnerable as they failed to update the plugin. Consequently, criminal hackers leveraged the opportunity to target vulnerable websites.
WebARX also confirmed in their post that they observed massive attempts to exploit the flaws.
We have seen an influx of attacks against this vulnerability. Primarily from the IP address 45.140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the
woocommerce_before_main_content
template hook.
Nonetheless, the plugin developers have now recently released Discount Rules for WooCommerce version 2.1.2. This version will fix any websites affected by XSS.
Thus, all plugin users must ensure updating their websites to the latest version to stay protected.
Let us know your thoughts in the comments.