WooCommerce vulnerabilities in WordPress plugin discovered

WooCommerce Vulnerabilities Overview

This threat report provides actionable intelligence about multiple vulnerabilities recently discovered in Discount Rules for the WooCommerce WordPress plugin. Successful exploitation of these weaknesses could allow a remote unauthenticated attacker to execute arbitrary code.

The vulnerabilities were quickly patched by the developers after discovery. Now it is imperative that administrators using the affected software update the plugin to avoid a potential attack.

Related Reading: Recent Surge in Two WordPress Attacks

Discount Rules Vulnerabilities Tactics, Techniques, and Procedures

These WooCommerce plugin vulnerabilities affect the Discount Rules for 2.0.2 and prior versions. Exploitation could allow SQL injection and unauthenticated stored cross-site scripting opportunities which could lead to remote code execution administered by the attacker.

The vulnerabilities discovered in this plugin were due to a lack of authorization and nonce token checks.

An attacker utilizing this vulnerability would first identify potentially vulnerable WordPress sites by searching for the string “woocommerce” in the target’s source code. Once identified, an attacker would proceed in the exploit attempt by sending a malicious payload to the targeted site. In observed cases, these payloads contained a JavaScript file that redirected users to a malicious site.

Because this weakness allows an attacker to inject crafted code into any template hook, this security issue could also lead to the exploit of numerous other vulnerabilities if the targeted site is using other plugins that have unpatched weaknesses.

Security researchers have reported a large increase in attacks against this vulnerability since it was first discovered. Attacks have been observed coming from the following IP addresses:

• 45.140.167.17
• 95.181.152.136

The updated version of the plugin corrects this vulnerability and forces all actions to be performed by an authenticated user. Further details and a link to the available patch are referenced in the Sources section below.

What This Means to Your Business

• Exploitation may lead to unauthorized access and control of company assets.
• Could potentially lead to the exfiltration of sensitive company data.

What You Can Do About These WooCommerce Vulnerabilities

If your company uses the WooCommerce Discounts Plugin for a WordPress site, we recommend verifying that you are using the latest version available to remediate the threat of these weaknesses in your environment.

Along with regular software updates, it is important to verify that third-party code used is also up to date as this can drastically impact your security posture.

Related Reading: Attributes of a Robust Vulnerability Management Program

Sources and Other Helpful Information

WordPress Plugin Directory (Patch): https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2359660%40woo-discount-rules%2Ftrunk&old=2348192%40woo-discount-rules%2Ftrunk&sfp_email=&sfph_mail=

IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/collection/c27acbfed2b7d10eb3aa52003f085ba1

SecurityWeek: https://www.securityweek.com/wordpress-sites-targeted-vulnerabilities-woocommerce-discounts-plugin

WebARX: https://www.webarxsecurity.com/multiple-vulnerabilities-in-discount-rules-for-woocommerce-plugin/

MITRE ATT&CK Techniques:

• Exploit Public-Facing Application (T1190): https://attack.mitre.org/techniques/T1190/
• Exploitation for Client Execution (T1203): https://attack.mitre.org/techniques/T1203/
• Process Injection (T1055): https://attack.mitre.org/techniques/T1055/

Contact us for more information about Avertium’s managed security service capabilities. 

8 Steps to Take if You've Been Breached

With the prevalence, severity, and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.