WooCommerce Pricing Plugin Allows Malicious Code-Injection

The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers.

A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.

The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on. It also supports conditional price increase and extra fees.

Infosec Insiders Newsletter
According to researchers at the Ninja Technologies Network, the two unauthenticated vulnerabilities affect version 2.4.1 and below. The first is a high-severity stored cross-site scripting (XSS) bug; the second is a medium-severity settings export problem.

The XSS bug exists in the __construct method of the “wc-dynamic-pricing-and-discounts/classes/rp-wcdpd-settings.class.php” script, according to a Tuesday writeup from NinTechNet.

“It lacks a capability check and a security nonce and thus is accessible to everyone, authenticated or not,” researchers explained. “An unauthenticated user can import the plugin’s settings. Because some fields aren’t sanitized, the attacker can inject JavaScript code into the imported JSON-encoded file.”

If successful, the code will be executed on every product page of the WooCommerce e-shop, they added. Additionally, attackers could replace JavaScript code with any HTML tags, such as a Meta Refresh tag, which could be used to redirect visitors and customers to a malicious website.

Also, the import function lacks a security nonce to prevent against cross-site request forgery (CSRF) attacks, where a user can submit unauthorized commands from a site that the web application trusts.

The second bug exists because a core export function lacks a capability check and is accessible to everyone, authenticated or not.

“An unauthenticated user can export the plugin’s settings, inject JavaSript code into the JSON file and reimport it using the previous vulnerability,” according to NinTechNet.

The issues are patched in version 2.4.2, though the CSRF check is still not fixed, researchers warned.

Users of WooCommerce, the popular e-commerce platform for WordPress, are no strangers to having to patch security problems, and it’s important to keep on top of patching. Last month for instance WooCommerce rushed emergency fixes for a critical SQL-injection security vulnerability in the core platform and a related plugin that had been under attack as a zero-day bug, for instance. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles