If you operate an eCommerce website using WordPress with the WooCommerce plugin, it is crucial to be aware of a recent vulnerability that could jeopardize the integrity of your online store. A researcher from RIPS Technologies GmbH, Simon Scannell, has uncovered an arbitrary file deletion vulnerability within the widely used WooCommerce plugin, which could permit a malicious insider or compromised user with administrative privileges to take full control of unpatched sites.
WooCommerce, renowned as one of the premier eCommerce plugins for WordPress, enables users to transform standard blog setups into comprehensive online stores. It currently powers nearly 35% of websites engaging in e-commerce, marking over 4 million active installations worldwide.
A significant aspect of this vulnerability arises from the interplay between how WordPress manages user roles and the file deletion flaws present in WooCommerce. The attack demonstrated in a recent video reveals that an account designated as a “Shop Manager” can exploit this weakness to reset administrator passwords, thereby obtaining complete control over the affected site.
When the WooCommerce plugin is activated, it designates “Shop Manager” accounts with the capability to edit user accounts, providing a pathway to manage customer profiles, orders, and product information. Under typical circumstances, a user with “edit_users” permission can make changes to an administrator’s account; however, WooCommerce imposes stricter limitations on shop managers to delineate their authority.
Nevertheless, Scannell discovered that if a WordPress administrator disables the WooCommerce plugin—whether intentionally or otherwise—the restrictions that normally apply vanish. This change permits Shop Managers to edit and reset administrator passwords at will.
According to Scannell, the vulnerability allows a Shop Manager to disable the WooCommerce plugin by exploiting a file deletion flaw present in its logging feature. “This vulnerability permits shop managers to delete any writable file on the server. By removing the main WooCommerce file, woocommerce.php, it results in WordPress being unable to load the plugin, effectively disabling it,” he stated in a blog post detailing the findings.
Once the WooCommerce plugin is disabled, the Shop Manager can easily update the administrator’s password, taking control of the entire website in the process.
On August 30, 2018, the researcher responsibly disclosed these vulnerabilities to the Automattic security team, the maintainers of WooCommerce, through n HackerOne report. The security team acknowledged these flaws and subsequently addressed them in WooCommerce version 3.4.6, released last month.
Business owners are strongly urged to install the latest security updates for both WordPress and WooCommerce without delay, to mitigate the risks associated with this exploit. In this context, the MITRE ATT&CK Matrix identifies techniques such as privilege escalation and initial access, offering a framework to understand the potential tactics employed during such attacks. Staying vigilant and proactive in applying updates can significantly reduce the risk of falling victim to these vulnerabilities.