Critical vulnerability in WooCommerce, WordPress plugin

Cybersecurity specialists recommend e-commerce WordPress websites using the WooCommerce plugin to remain alert due to the presence of a critical vulnerability that, if exploited, could allow hackers to take control of trade movements on a compromised website.

Plugin Vulnerabilities, a company dedicated to the security of sites in WordPress, was in charge of revealing the existence of this fault, also publishing details on a proof of concept for its exploitation. This company has had serious differences with the WordPress official support specialists, which are accused of covering some cybersecurity issues on the platform.

The specialists specified that the vulnerability does not reside precisely in WordPress or in the plugin WooCommerce. The report mentions that the vulnerability lies in WooCommerce Checkout Manager, an add-on for WooCommerce that extends its functionality, allowing e-commerce Web sites to give a custom format to payment forms. It is estimated that this plugin is being used by around 60k active websites.

About the vulnerability

This is an arbitrary file upload vulnerability that can be remotely exploited if a web site has the “categorize uploaded files” feature enabled in the WooCommerce Checkout Manager plugin.

According to cybersecurity specialists, the vulnerability resides in the ‘includes/admin.php’ file, in which the files given to a directory are moved using ‘move_uploaded_file’ without previously performing the appropriate verifications. If exploited, the vulnerability would allow a threat actor to run scripts on the server side, which would compromise the application to access stored data or gain administrator-level access.

Specialists from the International Institute of Cyber Security (IICS) recommend e-commerce site managers who use this plugin to disable the “categorize uploaded files” feature, at least until the company announces the launch of the update patch to fix the vulnerability.

Despite constant complaints from the official WordPress support forum, Plugin Vulnerabilities keeps disclosing security flaws in some developments that are compatible with this platform, which has caused WordPress to include this firm on its blacklist.