E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem.
A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis.
“We strongly recommend updating to the latest version of this plugin, currently 2.2.1, as soon as possible, since the consequences of a breach on an e-Commerce site can be severe,” wrote researchers at Wordfence.
WooCommerce Self-Serve Coupons
Researchers identify the flaws as a “authorization bypass leading to stored cross-site scripting” bugs. The flaws gave hackers a springboard to an eventual compromise of a targeted site. Additionally, the flaw “allowed any site visitor to add, modify, and delete” AJAX rules, allowing them to view any existing coupons.
Third Time’s a Charm
On Aug. 20, researchers notified Flycart of the flaws impacting version two (V2) of Discount Rules for WooCommerce. On Aug. 22, Flycart released an “interim” solution – affording partial protection from an attack.
“The vulnerabilities that were originally patched in the plugin were AJAX actions present in the ‘v2’ codebase of the plugin… Unfortunately, the plugin maintained a separate ‘v1’ codebase containing an earlier version of this functionality. Anyone visiting the site could switch between the v1 and v2 codebase by visiting any page on the site and adding a awdr_switch_plugin_to query string parameter set to v1 or v2,” researchers wrote.
Once the plugin was set to use the “v1” codebase, they wrote, “a number of AJAX actions became available providing similar functionality to the patched actions in ‘v2’.”
On Sept. 2, Flycart releases a second patch that addressed the vulnerabilities, but left the version switching functionality vulnerable to cross site request forgery attacks, researchers said. A week later, on Sept. 9, Fylcart released a patch that addressed both Discount Rules for WooCommerce issues, said researchers.
India-based Flycart Technologies has not yet responded to press inquiries requesting comment for this report. It is unclear if WooCommerce site operators will have to download patches for the Discount Rules for WooCommerce or if the plugin will receive an automated update.
Version 2.2.1 of Discount Rules for WooCommerce can be downloaded here.