Threat Management, Vulnerability Management

WooCommerce WordPress flaw allowed unique privilege escalation, 4M users affected

A file deletion vulnerability in WordPress can be used to exploit millions of WooCommerce shops.

WooCommerce is a free eCommerce WordPress plugin and the vulnerability allows shop managers to delete certain files on the server and then take over any administrator account, according to a RIPS Technology blog post.

Shop managers are employees of the store that can manage orders, products and customers and are granted privileges system below those of an admin. These lesser privileges can be obtained via XSS vulnerabilities or via phishing attacks ultimately leaving four million WooCommerce shops vulnerable to attack.

Researchers noted that arbitrary file deletion vulnerabilities usually aren’t considered critical as they usually only allow an attacker to carry out a Denial of Service by deleting the index.php of the website but in this case, deleting certain plugin files in WordPress can disable security checks and lead to a full site takeover.

This design flaw was patched in version 3.4.6. and is an example of how file deletion vulnerabilities in any WordPress plugin can be used to escalate privileges where meta privileges are used.

The vulnerability is in the way WordPress handles privileges due to an unpatched design flaw in the its privilege system.

“The issue is that user roles get stored in the database and exist even if the plugin is disabled,” the blog said. “This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with ‘edit_users’ to edit any user, even administrators, would occur.”

The vulnerability was reported in August when researchers released a proof-of-concept that would enable threat actors to target the WordPress flaw.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.