Users Urged to Update WordPress Plugin After Flaw Disclosed

WordPress Bug in 5.0

Yet another WordPress plugin vulnerability has put thousands of websites at risk.


A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say.

The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.

As of Monday, an update for WooCommerce Checkout Manager is available (version 4.3) that patches the vulnerability. That can be downloaded here.

“Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin,” said Luka Sikic, with WebArx Security in a Thursday post.

Visser Labs has not responded to a request for comment from Threatpost. On Friday, the plugin has been removed from the WordPress plugin repository. “This plugin was closed on April 26, 2019 and is no longer available for download,” according to a notice on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.

On Tuesday, Plugin Vulnerabilities published a proof of concept outlining an attack on an arbitrary file upload vulnerability in WooCommerce Checkout Manager.  The disclosed vulnerability exists because the plugin’s “Categorize Uploaded Files” option does not check privileges or permissions before files are uploaded. As a result, bad actors could upload – and then execute – malicious files.

“Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn’t require an attacker to be registered on the site,” Sikic said.

The number of vulnerable plugins being exploited in a massive campaign is racking up, with the WooCommerce Checkout Manager the latest plugin to be exploited.

The WooCommerce Checkout Manager is only the latest plugin to have a disclosed vulnerability, researchers say.

“We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time,” according to John Castro with Sucuri in a recent post. “Bad actors have added more vulnerable plugins to inject similar malicious scripts.”

Other plugins recently added to the attack include WP Inventory Manager and Woocommerce User Email Verification. That’s on top of others, including Social Warfare, Yellow Pencil Visual Theme Customizer,  and Yuzo Related Posts.

Researchers urged plugin users to disable the plugin completely or disable the “Categorize Uploaded Files” option on the plugin settings page.

“Attackers are trying to exploit vulnerable versions of these plugins,” said Castro. “Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.”

This article was updated on April 30 at 8 a.m. ET to reflect that the vulnerability has now been patched.

Suggested articles


  • Plugin Vulnerabilities on

    We actually published a post warning about the vulnerability, not just a proof of concept that confirms that the vulnerability exists. What you linked to from that other security company, which is based on our post, provides almost the same information as we provided in that respect, so if what we provided is something that shouldn't be linked to, that shouldn't be linked to either since it would also tell hackers how they would exploit the vulnerability. It looks like that company was looking for free press by piggybacking on to our work and you gave it to them. Worse still in that regard, the post you linked to from Sucuri provides the details on how hackers are attempting to exploit two vulnerabilities in a malicious fashion (though at first glance it appears that the hackers may be trying to exploit those in a way that won't work), which they refer to as payloads, and that provides the same amount, if not more detail for other hackers than a proof of concept would. So not linking to our post seems really odd here.
  • Viktor Szépe on

    When seeing these injections and poorly written code I became very sad.
  • MakeOnlineShops on

    Anyway who is stupid enough to use a plugin only to achieve this ?
  • Larry Mestas on

    I got hit with over 30000 emails from Word Press finally had to stop MS email and go with Outlook email and the emails stopped.
  • Michael Visser on

    Hi Threatpost, an urgent Plugin update was released over the weekend to resolve this. (The fun of being a Plugin caretaker; it's an adopted Plugin and its codebase is being re-written bit by bit.)
    • Lindsey O'Donnell on

      Thanks for letting everyone know Michael, and I am updating the article to include this information as well.
  • Brad on

    If you're still using WooCommerce over Shopify you're doing it WRONG.
  • Harold on

    I think woocommerce does a great job.. I use it with Neuronto deepl wordpress plugin, both are great.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.