One more vulnerable WordPress plugin requires immediate attention from the users. This time, the flaw appeared in the TI WooCommerce Wishlist plugin allowing full site takeovers. The bug is already under active exploitation.
TI WooCommerce Wishlist Plugin Flaw
Researchers from NinTechNet found a serious security flaw in the TI WooCommerce Wishlist plugin for WordPress. Exploiting the vulnerability could allow an attacker to take over the target website.
Specifically, the vulnerability resides in the import/export settings of the plugin. As described in the researchers’ blog post,
The plugin has an import function in the “ti-woocommerce-wishlist/includes/export.class.php” script, loaded with the WordPress
admin_action_hook, that lacks a capability check and security nonce, allowing an authenticated user to modify the content of the WordPress options table in the database.
Thus, an attacker could easily register an account and change its role to admin. After that, the attacker could not only gain access to the site but could also redirect the site’s traffic to a malicious website.
According to the researchers, though, WooCommerce blocks non-admin users to enter the WordPress admin dashboard by default. However, it allows customer registration which enabled an adversary to exploit the flaw.
Bug Under Exploit – Update Asap!
NinTechNet stated that their firewall customers could observe active exploitation attempts of the flaw. This shows that the bug already arrived in the wild before getting the attention of the vendors or the researchers.
Thus, the researchers have warned all users of plugin version 1.21.11 or below of the active exploitation of the bug.
Fortunately, the plugin developers have patched the flaw with the release of the TI WooComerce Wishlist plugin version 1.21.12. Hence, all users must ensure updating their sites to the latest plugin version.
Whereas in case a site has already suffered a hack, NinTechNet recommends scanning the site for admin accounts and delete the hackers’ accounts. Also, affected admins should reset passwords and scan the sites for any suspicious files.