Vulnerability Management

Bug identified in WooCommerce plugin for WordPress websites

Researchers with Sucuri have identified an object injection vulnerability in the WooCommerce plugin for WordPress websites.

The issue – which Sucuri deemed dangerous and easy to exploit – has been addressed in WooCommerce version 2.3.11, but all lower versions that have the “PayPal Identity Token” option set are at risk of a full site compromise.

“We managed to use a combination of WordPress and WooCommerce components with a known PHP bug (CVE-2013-1643) to download critical files, files like wp-config.php; for those unfamiliar, this file contains the database credentials and WordPress secret keys,” Marc-Alexandre Montpas, vulnerability researcher with Sucuri, wrote in a Wednesday blog post.

Montpas noted that there are several different attack vectors for an attacker to use, depending on what extensions are available.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.