A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say.
The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.
As of Monday, an update for WooCommerce Checkout Manager is available (version 4.3) that patches the vulnerability. That can be downloaded here.
“Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin,” said Luka Sikic, with WebArx Security in a Thursday post.
Visser Labs has not responded to a request for comment from Threatpost. On Friday, the plugin has been removed from the WordPress plugin repository. “This plugin was closed on April 26, 2019 and is no longer available for download,” according to a notice on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.
On Tuesday, Plugin Vulnerabilities published a proof of concept outlining an attack on an arbitrary file upload vulnerability in WooCommerce Checkout Manager. The disclosed vulnerability exists because the plugin’s “Categorize Uploaded Files” option does not check privileges or permissions before files are uploaded. As a result, bad actors could upload – and then execute – malicious files.
“Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn’t require an attacker to be registered on the site,” Sikic said.
The number of vulnerable plugins being exploited in a massive campaign is racking up, with the WooCommerce Checkout Manager the latest plugin to be exploited.
The WooCommerce Checkout Manager is only the latest plugin to have a disclosed vulnerability, researchers say.
“We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time,” according to John Castro with Sucuri in a recent post. “Bad actors have added more vulnerable plugins to inject similar malicious scripts.”
Other plugins recently added to the attack include WP Inventory Manager and Woocommerce User Email Verification. That’s on top of others, including Social Warfare, Yellow Pencil Visual Theme Customizer, and Yuzo Related Posts.
Researchers urged plugin users to disable the plugin completely or disable the “Categorize Uploaded Files” option on the plugin settings page.
“Attackers are trying to exploit vulnerable versions of these plugins,” said Castro. “Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.”
This article was updated on April 30 at 8 a.m. ET to reflect that the vulnerability has now been patched.