Home Latest Cyber Security News | Network Security Hacking Numerous Bugs Found In WooCommerce Dynamic Pricing and Discounts Plugin
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Numerous Bugs Found In WooCommerce Dynamic Pricing and Discounts Plugin

by Abeerah Hashim
written by Abeerah Hashim
LayerSlider WordPress plugin had an SQL injection vulnerability

Multiple security bugs in WooCommerce Dynamic Pricing and Discounts plugin could allow code injection attacks. It is a popular plugin for online stores managing various pricing and promotional activities.

WooCommerce Dynamic Pricing and Discounts Plugin Bugs

Researchers from NinTechNet found at least two different vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin.

As elaborated in their post, one of these vulnerabilities included a high-severity unauthenticated settings import flaw. The bug existed due to a lack of capability check that allowed an unauthenticated user to import settings. This would further allow injecting JavaScript codes on target web pages leading to stored XSS. Describing this issue, the blog reads,

Because some fields aren’t sanitised, the attacker can inject JavaScript code into the imported JSON-encoded file. The code will be executed on every product pages of the WooCommerce e-shop, in the frontend… It’s also possible to replace the JS code with any HTML tags such as a Meta Refresh tag to redirect visitors and customers to a malicious website for instance.

Whereas the second vulnerability allowed unauthenticated settings export leading to similar consequences. It was a medium severity flaw that received a CVSS score of 5.3.

Developers Fixed The Vulnerabilities

The researchers discovered the vulnerabilities recently, after which they reached out to Envato on August 18, 2021.

Following their report, the vendors released an update to the WooCommerce Dynamic Pricing & Discounts plugin with version 2.4.2.

However, it remains unclear if the update adequately addressed the bugs since the researchers observed the absence of security nonce.

Despite our recommendations, the new version still lacks a security nonce to prevent against CSRF attacks in the import function.

Nonetheless, it’s still advisable for all users to update their sites with the latest plugin version to avoid potential threats.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

1 comment

tom September 2, 2021 - 2:21 pm

Manotony I read this email being spammed

Comments are closed.