WooCommerce has issued an advisory about an XSS vulnerability, while Wordfence has simultaneously reported a critical vulnerability in a WooCommerce plugin called Dokan Pro. The advisory warns of a SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive information from a website database.
Dokan Lite Version Is Not Affected
Wordfence confirmed that Dokan Lite, the free version of the plugin, is not affected by this vulnerability.
Dokan Pro WordPress Plugin
Dokan Pro enables users to transform their WooCommerce website into a multi-vendor marketplace similar to Amazon and Etsy. With over 50,000 installations, versions up to and including 3.10.3 are vulnerable. According to Wordfence, version 3.11.0 is the fully patched and safest version. The current number of plugin installations of the lite version is over 50,000, with total all-time installations exceeding 3 million. As of now, only 30.6% of installations use version 3.11.
This vulnerability does not affect Dokan Lite; these statistics only reflect the version distribution for Dokan Lite and may not indicate the distribution for Dokan Pro.
Changelog Doesn’t Show Vulnerability Patch
The changelog informs users of a plugin update’s contents. Most developers will clearly note if an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including 3.10.3, but the changelog for version 3.10.4, released on April 25, 2024, does not indicate a patch. It’s possible that the publisher did not want to alert hackers to the critical vulnerability.
CVSS Score 10
The Common Vulnerability Scoring System (CVSS) assigns a score to represent the severity of a vulnerability, ranging from 1 (least severe) to 10 (most severe). Dokan Pro received a CVSS score of 10, indicating the highest severity. Users are recommended to take immediate action.
Description of Vulnerability
Dokan Pro contains an Unauthenticated SQL Injection vulnerability, allowing attackers to manipulate the database without needing user credentials. This vulnerability is severe, as it allows attackers to extract sensitive information from the database.
Wordfence describes it:
"The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the ‘code’ parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into existing queries to extract sensitive information from the database."
Recommended Action for Dokan Pro Users
Users of Dokan Pro are advised to update their sites as soon as possible. While testing updates before implementation is recommended, due to the severity of this vulnerability, an expedited update is advisable.
WooCommerce has also published an advisory for a vulnerability affecting versions 8.8.0 and higher, rated at 5.4, a medium-level threat that only affects users with the Order Attribute feature enabled. Users are strongly recommended to update to the latest version, WooCommerce 8.9.3.
WooCommerce Cross Site Scripting (XSS) Vulnerability
The vulnerability affecting WooCommerce is a type of Cross-Site Scripting (XSS), which relies on a user clicking a malicious link.
According to WooCommerce:
"This vulnerability could allow for cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin. We are not aware of any exploits of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have received no reports of it being exploited, and our engineering team analyses did not reveal it had been exploited."
Should Web Hosts Be More Proactive?
Web developer and search marketing expert Adam J. Humphreys believes that web hosts should be more proactive in patching critical vulnerabilities, even if this might cause some sites to lose functionality due to conflicts with other plugins or themes.
Adam observed:
"The deeper issue is the fact that WordPress remains without auto updates and a constant vulnerability which is the illusion their sites are safe. Most core updates are not performed by hosts and almost every single host doesn’t perform any plugin updates even if they do them until a core update is performed. Then there is the fact most premium plugin updates will often not perform automatically. Many of which contain critical security patches."
In response to whether he meant a push update, where an update is forced onto a website, Adam replied:
"Correct, many hosts will not perform updates until a WordPress core update. Softaculous (a WordPress auto installer) engineers confirmed this for me. WPEngine, which claims fully managed updates, doesn’t do it frequently enough to patch in a timely manner for said plugins. WordPress without ongoing management is a vulnerability, and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion."
Read More:
- Dokan Pro <= 3.10.3 – Unauthenticated SQL Injection
- WooCommerce Updated to Address Cross-site Scripting Vulnerability
Featured Image by Shutterstock/New Africa