A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.
The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on. It also supports conditional price increase and extra fees.
According to researchers at the Ninja Technologies Network, the two unauthenticated vulnerabilities affect version 2.4.1 and below. The first is a high-severity stored cross-site scripting (XSS) bug; the second is a medium-severity settings export problem.
The XSS bug exists in the __construct method of the “wc-dynamic-pricing-and-discounts/classes/rp-wcdpd-settings.class.php” script, according to a Tuesday writeup from NinTechNet.
Also, the import function lacks a security nonce to prevent against cross-site request forgery (CSRF) attacks, where a user can submit unauthorized commands from a site that the web application trusts.
The second bug exists because a core export function lacks a capability check and is accessible to everyone, authenticated or not.
“An unauthenticated user can export the plugin’s settings, inject JavaSript code into the JSON file and reimport it using the previous vulnerability,” according to NinTechNet.
The issues are patched in version 2.4.2, though the CSRF check is still not fixed, researchers warned.
Users of WooCommerce, the popular e-commerce platform for WordPress, are no strangers to having to patch security problems, and it’s important to keep on top of patching. Last month for instance WooCommerce rushed emergency fixes for a critical SQL-injection security vulnerability in the core platform and a related plugin that had been under attack as a zero-day bug, for instance. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.