E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem.
A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis.
“We strongly recommend updating to the latest version of this plugin, currently 2.2.1, as soon as possible, since the consequences of a breach on an e-Commerce site can be severe,” wrote researchers at Wordfence.
WooCommerce Self-Serve Coupons
The two vulnerabilities are tied to the plugin developer’s implementation of Asynchronous JavaScript and XML (AJAX) code. According to Flycart Technologies, Discount Rules for WooCommerce enables the 3.3 million active WooCommerce merchants to use the add-on to streamline customer discounts and manage dynamic pricing. Researchers estimate Discount Rules for WooCommerce is active on an estimated 40,000 sites running the WooCommerce open-source platform.
Researchers identify the flaws as a “authorization bypass leading to stored cross-site scripting” bugs. The flaws gave hackers a springboard to an eventual compromise of a targeted site. Additionally, the flaw “allowed any site visitor to add, modify, and delete” AJAX rules, allowing them to view any existing coupons.
Third Time’s a Charm
On Aug. 20, researchers notified Flycart of the flaws impacting version two (V2) of Discount Rules for WooCommerce. On Aug. 22, Flycart released an “interim” solution – affording partial protection from an attack.
“The vulnerabilities that were originally patched in the plugin were AJAX actions present in the ‘v2’ codebase of the plugin… Unfortunately, the plugin maintained a separate ‘v1’ codebase containing an earlier version of this functionality. Anyone visiting the site could switch between the v1 and v2 codebase by visiting any page on the site and adding a awdr_switch_plugin_to query string parameter set to v1 or v2,” researchers wrote.
Once the plugin was set to use the “v1” codebase, they wrote, “a number of AJAX actions became available providing similar functionality to the patched actions in ‘v2’.”
“For example, an attacker could send a POST request to wp-admin/admin-ajax.php with the action set to savePriceRule or saveCartRule and inject malicious JavaScript into one of the fields of a discount rule by adding it to the data parameter. The next time an administrator viewed or edited discount rules, the malicious JavaScript would be executed in their browser. Doing so could lead to site takeover by adding a backdoor to plugin or theme files, adding a malicious administrator, or any number of other actions,” Wordfence wrote.
On Sept. 2, Flycart releases a second patch that addressed the vulnerabilities, but left the version switching functionality vulnerable to cross site request forgery attacks, researchers said. A week later, on Sept. 9, Fylcart released a patch that addressed both Discount Rules for WooCommerce issues, said researchers.
India-based Flycart Technologies has not yet responded to press inquiries requesting comment for this report. It is unclear if WooCommerce site operators will have to download patches for the Discount Rules for WooCommerce or if the plugin will receive an automated update.
Version 2.2.1 of Discount Rules for WooCommerce can be downloaded here.