The U.S. government’s National Vulnerability Database (NVD) has released warnings about vulnerabilities in five WooCommerce WordPress plugins, impacting over 135,000 installations.
The severity of these vulnerabilities ranges up to Critical, with some rated as high as 9.8 on a scale from 1-10.
Each vulnerability has been assigned a CVE identity number (Common Vulnerabilities and Exposures), which is standard for discovered vulnerabilities.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, which is installed on over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
A CSRF vulnerability arises from a flaw in a website plugin that allows an attacker to trick a website user into performing an unintended action.
Website browsers typically contain cookies that tell a website a user is registered and logged in. An attacker can assume the privilege levels of an admin, gaining full access to a website and exposing sensitive customer information.
This specific vulnerability can lead to an export file download. It is reasonable to assume that order data could be accessed, given the purpose of the plugin.
The official vulnerability description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”
The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin up to version 3.3.2. It was patched in version 3.3.3.
2. Advanced Dynamic Pricing for WooCommerce
The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce, which is installed on over 20,000 websites.
This plugin has two CSRF vulnerabilities affecting all versions less than 4.1.6. The first vulnerability (CVE-2022-43488) can lead to a "rule type migration." The exact nature of this vulnerability is somewhat vague but may involve changes to pricing rules.
The official description provided at the NVD:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.”
The second CSRF vulnerability is assigned CVE-2022-43491.
The official NVD description of the second vulnerability:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.”
The official plugin changelog notes that these vulnerabilities were fixed:
“Changelog – 4.1.6 – 2022-10-26
Fixed some CSRF and broken access control vulnerabilities.”
3. Advanced Coupons for WooCommerce Coupons Plugin
The third affected plugin, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs. The problem is a CSRF vulnerability affecting all versions less than 4.5.01. The plugin changelog lists this patch as a “bug fix.”
The official NVD description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.”
4. WooCommerce Dropshipping by OPMC – Critical
The fourth affected plugin, WooCommerce Dropshipping by OPMC, has over 3,000 installations. Versions less than 4.4 contain an Unauthenticated SQL injection vulnerability rated 9.8, labeled as Critical.
In general, SQL injection vulnerabilities allow an attacker to manipulate the WordPress database, assuming admin-level permissions, making changes to the database, erasing it, or downloading sensitive data.
The NVD describes this specific plugin vulnerability:
“The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitize and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.”
5. Role Based Pricing for WooCommerce
The Role Based Pricing for WooCommerce plugin has two CSRF vulnerabilities, with 2,000 installations affected. CSRF vulnerabilities generally involve an attacker tricking an admin or user into clicking a link or performing an action, potentially gaining their permission levels.
The NVD description of the first vulnerability:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorization and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscribers to upload arbitrary files, such as PHP.”
The NVD description of the second vulnerability:
“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorization and proper CSRF checks, and does not validate path given via user input, allowing any authenticated users like subscribers to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog.”
The official changelog advises that the plugin is fully patched in version 1.6.2:
“Changelog 2022-10-01 – version 1.6.2
- Fixed the Arbitrary File Upload Vulnerability.
- Fixed the issue of ajax nonce check.”
Course of Action
It is advisable to update all vulnerable plugins. It’s also a best practice to back up the site before making any plugin updates and, if possible, to stage the site and test the plugin before updating.
Featured image by Shutterstock/Asier Romero
