Numerous Vulnerabilities Found In Discount Rules for WooCommerce Plugin

Recently, the Discount Rules for WooCommerce Plugin has made it to the news owing to multiple vulnerabilities. Exploiting these flaws could allow remote code execution by a potential attacker. The flaws threatened the security of thousands of WooComerce online stores.

Discount Rules for WooCommerce Plugin Vulnerabilities

Researchers from WebARX Security have found multiple security vulnerabilities in the Discount Rules for WooCommerce Plugin. These bugs could lead to serious damages to thousands of websites.

Sharing the details in a blog post, the researchers revealed that they found SQL injection, cross-site scripting (XSS), and authorization issues in the plugin. Eventually, exploiting the flaws could even lead to remote code execution attacks on target websites.

The bugs existed due to the absence of authorization checks and nonce token. Hence, any unauthenticated user could possibly perform various actions.

As stated in the post,

The plugin registers several AJAX actions of which one, wp_ajax_wdr_ajax, handles a bulk of different AJAX actions which are supposedly only be accessed by administrators.
Unfortunately this AJAX action is also registered as wp_ajax_nopriv_wdr_ajax. Even if wp_ajax_nopriv_wdr_ajax was not registered, authenticated users could still exploit this since wp_ajax_wdr_ajax does not perform any type of authorization or CSRF check.

Briefly, the possible actions an attacker could perform after exploit include retrieval of user lists, list of coupon codes, updating configuration settings, saving, duplicating, or deleting a discount rule individually or in bulk.

Exploitation Attempts Detected – Patch Now

The  Discount Rules for WooCommerce plugin boasts over 30,000 active installations at present. It means the vulnerabilities potentially threatened thousands of WooCommerce stores.

Following the discovery of the flaws, the researchers reached out to the developers to report the matter. Eventually, they patched the bugs with the release of plugin version 2.1.0.

However, even after the fix, numerous websites remained vulnerable as they failed to update the plugin. Consequently, criminal hackers leveraged the opportunity to target vulnerable websites.

WebARX also confirmed in their post that they observed massive attempts to exploit the flaws.

We have seen an influx of attacks against this vulnerability. Primarily from the IP address 45.140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the woocommerce_before_main_content template hook.

Nonetheless, the plugin developers have now recently released Discount Rules for WooCommerce version 2.1.2. This version will fix any websites affected by XSS.

Thus, all plugin users must ensure updating their websites to the latest version to stay protected.

Let us know your thoughts in the comments.