WordPress sites vulnerable to WooCommerce plugin flaw | Cyber Security
Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site.
WooCommerce’s four million plus users were first alerted to the issue a few weeks back in the release notes for the updated version:
Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions.
This week, PHP security company RIPS Technologies published the research that led to this warning which gives WooCommerce and WordPress admins more of the gory detail.
There are two parts to the vulnerability, the first of which the researchers describe as a “design flaw in the privilege system of WordPress.”
The second, in WooCommerce itself, is an apparently simple file deletion vulnerability affecting versions 3.4.5 and earlier.
Which of the two is the bigger issue will depend on whether you worry more about a site’s e-commerce function or happen to be its admin – either way, the combination spells trouble.