Dec 1, 2021
89 Views
0 0

80K Retail WooCommerce Sites Exposed by Plugin XSS Bug

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The Variation Swatches plugin security flaw lets attackers with low-level permissions tweak important settings on e-commerce sites to inject malicious scripts.
The plugin “Variation Swatches for WooCommerce,” installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting (XSS) security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites.
Variation Swatches is designed to allow retailers using the WooCommerce platform for WordPress sites to show different versions of the same product, like a sweater in several colors. Unfortunately, vulnerable versions can also give users without administrative permissions — like customers or subscribers — access to the plugin’s settings, according to researchers from Wordfence.
“More specifically, the plugin registered the ‘tawcvs_save_settings,’ ‘update_attribute_type_setting’ and ‘update_product_attr_type’ functions, which were all hooked to various AJAX actions,” Wordfence’s Chloe Chamberland explained, in a Wednesday posting. “These three functions were all missing capability checks as well as nonce checks, which provide cross-site request forgery protection.”

Giving low-permissioned users access to the “tawcvs_save_settings” function is particularly concerning, she said, because that access can be used to update the plugin’s settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.
“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor, which in turn would grant the attacker the ability to completely take over a site,” the researcher added.
The vulnerability (CVE-2021-42367) affected all users of the plugin until Nov. 23, when it was patched in the new 2.1.2 version.
WordPress users are already grappling with cascading bugs, incidents and compromises. Last week for instance, GoDaddy, the world’s largest domain registrar, was breached — affecting 1.2 million customers along with various resellers of GoDaddy Managed WordPress.
In mid-Nov. another glitchy WordPress plugin let attackers display a fake ransomware encryption message demanding about $6,000 to unlock the site. The threat was empty, all the users needed to do was delete the plugin, but had the attackers deployed actual ransomware the outcome could have been catastrophic.
And in late October, a WordPress plugin bug was discovered in the Hashthemes Demo Importer offering, that allowed users with simple subscriber permissions to wipe sites of all content.
To mitigate this latest plugin bug, Chamberland recommends  that users update their sites with the patched version of the Variation Swatches for WooCommerce.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!
 
Share this article:
Kaspersky researchers suspect that the cyberattackers may be a subgroup of the politically motivated, Palestine-focused Gaza Cybergang.
Most industry analyst firms conclude that between 80-90 percent of network traffic is encrypted today. Jeff Costlow, CISO at ExtraHop, explains why this might not be a good thing.
The insurer won’t pay for ‘acts of cyber-war’ or nation-state retaliation attacks.   


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Pankaj Gupta, Senior Director at @Citrix, outlines how distributed denial of service attacks have become increasing… https://t.co/djwhuUE82e
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.