Vulnerabilities Discovered in Five WooCommerce WordPress Plugins
According to the statistics, The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations. Some vulnerabilities appeared as high as Critical and reached 9.8 on a scale of 1 – 10.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, established in more than 100,000 websites, is very vulnerable to a Cross-Site Request Forgery (CSRF) attack.
A Cross-Site Request Forgery (CSRF) vulnerability increases from a hole in a website plugin that can allow an attacker to make a website user into carrying out an unintended action.
All website browsers consist of cookies announcing a website that the users are logged in. The attackers can assume the admin’s privilege levelsThen they have full access to the website and unveil sensitive client information.
The official vulnerability description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.” This can affect versions of the Advanced Order Export for WooCommerce plugin that is less than or equal to version 3.3.2.
2. Advanced Dynamic Pricing for WooCommerce
The second influenced plugin is the Advanced Dynamic Pricing plugin for WooCommerce installed with more than 20,00 websites. The purpose of this plugin is to make it easy for sellers to generate discounts or pricing rules.
The plugin was found to have two Cross-Site Request Forgery (CSRF) vulnerabilities that can affect plugin versions less than 4.1.6.
The official description provided at the NVD:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.”
The NVD pointed to the second CSRF vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin with a CVE number, CVE-2022-43491.
3. Advanced Coupons for WooCommerce Coupons plugin
The third influenced plugin, Advanced Coupons for WooCommerce Coupons, has more than 10,000 installs. The problem found in the plugin is a CSRF vulnerability and can affect versions less than 4.5.01.
The plugin changelog calls this patch a bug fix?
Bug Fix: The notice removing AJAX requests has no nonce value”.
The official NVD description is:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress causing notice cancellation.”
4. WooCommerce Dropshipping by OPMC – Critical
The fourth affected plugin is the WooCommerce Dropshipping by OPMC plugin which has more than 3,000 installations.
Versions of the plugin less than version 4.4 include an Unauthenticated SQL injection vulnerability rated 9.8 and considered as Critical.
Generally, a SQL injection vulnerability can allow an attacker to control the WordPress database and take on admin-level permissions, carry out changes to the database, omit the database and download the sensitive database.
The NVD describes the specific plugin vulnerability:
“The WooCommerce Dropshipping WordPress plugin before 4.4 doesn’t exactly work and removes a parameter before applying it in the SQL statement via a REST endpoint to the unauthenticated users, and then leading to a SQL injection”.
5. Role Based Pricing for WooCommerce
The Role Based Pricing for WooCommerce plugin has two Cross-Site Request Forgery (CSRF) vulnerabilities with more than 2,000 installations.
A CSRF vulnerability involves an attacker tricking the admin or users to click the link or perform different actions. That leads to the attacker achieving the user’s website permission levels.
To sum up, EverRanks provided information about Vulnerabilities discovered in Five WooCommerce WordPress Plugins. We hope that the knowledge and experience we shared will be helpful for you. Don’t forget to follow EverRanks to update more diverse news!
A list of the best websites for small business owners,…
To check the spelling and grammar of an English text,…
1. What is a website design and SEO company? A…