Strategy, Vulnerability management

Bug identified in WooCommerce plugin for WordPress websites

June 11, 2015

Researchers with Sucuri have identified an object injection vulnerability in the WooCommerce plugin for WordPress websites.

The issue – which Sucuri deemed dangerous and easy to exploit – has been addressed in WooCommerce version 2.3.11, but all lower versions that have the “PayPal Identity Token” option set are at risk of a full site compromise.

“We managed to use a combination of WordPress and WooCommerce components with a known PHP bug (CVE-2013-1643) to download critical files, files like wp-config.php; for those unfamiliar, this file contains the database credentials and WordPress secret keys,” Marc-Alexandre Montpas, vulnerability researcher with Sucuri, wrote in a Wednesday blog post.

Montpas noted that there are several different attack vectors for an attacker to use, depending on what extensions are available.

prestitial ad