Multiple security bugs in WooCommerce Dynamic Pricing and Discounts plugin could allow code injection attacks. It is a popular plugin for online stores managing various pricing and promotional activities.
WooCommerce Dynamic Pricing and Discounts Plugin Bugs
Researchers from NinTechNet found at least two different vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin.
As elaborated in their post, one of these vulnerabilities included a high-severity unauthenticated settings import flaw. The bug existed due to a lack of capability check that allowed an unauthenticated user to import settings. This would further allow injecting JavaScript codes on target web pages leading to stored XSS. Describing this issue, the blog reads,
Because some fields aren’t sanitised, the attacker can inject JavaScript code into the imported JSON-encoded file. The code will be executed on every product pages of the WooCommerce e-shop, in the frontend… It’s also possible to replace the JS code with any HTML tags such as a Meta Refresh tag to redirect visitors and customers to a malicious website for instance.
Whereas the second vulnerability allowed unauthenticated settings export leading to similar consequences. It was a medium severity flaw that received a CVSS score of 5.3.
Developers Fixed The Vulnerabilities
The researchers discovered the vulnerabilities recently, after which they reached out to Envato on August 18, 2021.
Following their report, the vendors released an update to the WooCommerce Dynamic Pricing & Discounts plugin with version 2.4.2.
However, it remains unclear if the update adequately addressed the bugs since the researchers observed the absence of security nonce.
Despite our recommendations, the new version still lacks a security nonce to prevent against CSRF attacks in the import function.
Nonetheless, it’s still advisable for all users to update their sites with the latest plugin version to avoid potential threats.
Let us know your thoughts in the comments.
1 comment
Manotony I read this email being spammed
Comments are closed.