Multiple security bugs in WooCommerce Dynamic Pricing and Discounts plugin could allow code injection attacks. It is a popular plugin for online stores managing various pricing and promotional activities.
WooCommerce Dynamic Pricing and Discounts Plugin Bugs
Researchers from NinTechNet found at least two different vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin.
Whereas the second vulnerability allowed unauthenticated settings export leading to similar consequences. It was a medium severity flaw that received a CVSS score of 5.3.
Developers Fixed The Vulnerabilities
The researchers discovered the vulnerabilities recently, after which they reached out to Envato on August 18, 2021.
Following their report, the vendors released an update to the WooCommerce Dynamic Pricing & Discounts plugin with version 2.4.2.
However, it remains unclear if the update adequately addressed the bugs since the researchers observed the absence of security nonce.
Despite our recommendations, the new version still lacks a security nonce to prevent against CSRF attacks in the import function.
Nonetheless, it’s still advisable for all users to update their sites with the latest plugin version to avoid potential threats.
Let us know your thoughts in the comments.