The widely-used WooCommerce Booster plugin recently patched a Reflected Cross-Site Scripting (XSS) vulnerability, impacting over 70,000 websites utilizing the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a comprehensive WordPress plugin that offers over 100 features for customizing WooCommerce stores. The modular bundle provides essential functionalities necessary for operating an ecommerce store, such as custom payment gateways, shopping cart customization, and customized price labels and buttons.
Reflected Cross Site Scripting (XSS)
A reflected cross-site scripting vulnerability in WordPress typically occurs when an input expects a specific type of data (like an image upload or text) but allows other inputs, including malicious scripts. An attacker can then execute these scripts on a visitor’s browser. If the user is an admin, the attacker could potentially steal admin credentials and take over the site.
The non-profit Open Web Application Security Project (OWASP) explains this vulnerability:
"Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.
…XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise."
As of now, the vulnerability has not been assigned a severity rating.
This is the official description of the vulnerability by the U.S. Government National Vulnerability Database:
"The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting."
This description indicates the vulnerability arises from a failure to "escape some URLs," meaning to encode them using special characters (ASCII). Properly escaping URLs ensures they are encoded in an expected format. For instance, a blank space in a URL might be encoded as "%20."
The failure to correctly encode URLs enables an attacker to input something else, such as a malicious script or a redirection to a malicious site.
Changelog Records Vulnerabilities
The plugin’s official log of software updates, known as a Changelog, references a Cross Site Request Forgery (CSRF) vulnerability. The changelog for the free Booster for WooCommerce plugin includes the following notation for version 6.0.1:
"FIXED – EMAILS & MISC. – General – Fixed CSRF issue for Booster User Roles Changer.
FIXED – Added Security vulnerability fixes."
Users of the plugin are advised to update to the latest version.
Citations
Read the advisory at the U.S. Government National Vulnerability Database
CVE-2022-4227 Detail
Read a summary of the vulnerability at the WPScan website
Booster for WooCommerce – Reflected Cross-Site Scripting
Featured image by Shutterstock/Asier Romero
