The most popular web content management system (CMS) is WordPress, which is used by more than 30% of all websites. By extension, the most popular ecommerce platform in the world is WooCommerce, a plugin that turns a WordPress website into an online shop. In fact, WooCommerce is so popular that it isn’t just part of WordPress’s software ecosystem, it also has a software ecosystem of its very own too.
There are hundreds of WordPress plugins that are designed to work with or extend the WooCommerce plugin in some way, and many of them are mature commercial software products in their own right. One such product is a popular extension called WooCommerce Dynamic Pricing and Discounts, which sells for a little less than $70 and has been purchased almost 20,000 times.
If your site is running that plugin, you need to update it to version 2.4.2 immediately.
Researchers recently discovered multiple security vulnerabilities affecting version 2.4.1 and below. These vulnerabilities have been fixed in version 2.4.2, which was released on August 22, 2021.
The first vulnerability is a high-severity stored cross-site scripting (XSS) bug. Cross-site scripting (XSS) is a type of security vulnerability that lets attackers inject client-side scripts into web pages viewed by other users.
The researchers found that the vulnerable code missed two important checks: A capability check that ensures a user is authorized to do a particular thing, and a security nonce (short for “number once”) that tries to ensure a web request is asked and answered by the same site, and that the request didn’t come from an imposter running a cross-site request forgery (CSRF) attack.
The possible consequences
Because the code injected via the settings import into WooCommerce Dynamic Pricing and Discounts is run on every product page of a WooCommerce shop, it looks like an ideal vulnerability for credit card skimmers (malicious code that reads your credit card details when they are entered them into the checkout form).
As we reported last year, WooCommerce is increasingly being targeted by criminals, because of its large market share. We asked Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, and an avid follower of skimmers, how groups that use them would react to vulnerabilities like these.
“Two common mistakes website owners often make is to leave their Content Management System (CMS) unpatched and believe they are not an interesting target. In many cases, users may choose not to apply security updates as they fear that it may introduce bugs or even break a website from loading properly. While this is true, it creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.
Magento, WooCommerce and several other CMSes are constantly being abused for a number of reasons. If your website does e-commerce, it becomes even more interesting as threat actors can not only target you but also your customers and their financial data in attacks such as Magecart.
Applying updates promptly is a necessity, and if for one reason of another it’s not possible, other solutions such as Web Application Firewalls exist to block known and unknown automated attacks.”
When using a CMS, and especially a popular one, you will have to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.
To do your online shopping safely it is advisable to take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.
Stay safe, everyone!