Security Experts:

Persistent XSS Patched in WooCommerce WordPress Plugin

An update released this week by the developers of WooCommerce, the popular ecommerce plugin for WordPress, patches a flaw that could allow attackers to hijack vulnerable websites.

Han Sahin, co-founder of Dutch security firm Securify, discovered that WooCommerce is plagued by a persistent cross-site scripting (XSS) vulnerability.

An attacker can exploit the flaw by creating a special image file that contains malicious JavaScript code in the metadata. WooCommerce uses information from the metadata to automatically fill in the “caption” field of an uploaded image.

If the attacker can convince an administrator to upload a malicious image as a product image or a gallery item, their code is injected into the targeted website. According to Sahin, an attacker can leverage the flaw to steal session tokens or login credentials and use them to perform actions on the victim’s behalf.

The vulnerability was addressed by WooCommerce developers this week with the release of version 2.6.3. They noted that the issue was related to how prettyPhoto, a jQuery-based lightbox clone, handled image captions.

WooCommerce was acquired last year by Automattic, the company behind and a core contributor to the WordPress project. The plugin is currently used on more than one million websites.

Ecommerce websites are often targeted by threat actors. Internet security firm Sucuri reported earlier this week that attackers have been launching phishing operations aimed at the checkout pages of ecommerce sites, including ones running WooCommerce. Cybercriminals have been planting malicious code on the checkout pages of legitimate websites in an effort to redirect users to phishing checkout pages.

The WooCommerce XSS is just one of the many vulnerabilities found by researchers as part of Summer of Pwnage, a WordPress-focused hacker event hosted by Securify between July 1 and 29. Participants from all around the world have so far identified 61 flaws in the WordPress core and various popular plugins.

“It’s great to work with plugin writers – they quickly understand the security problem and fix issues very fast,” Sahin told SecurityWeek. “WordPress has a lot of security features in the code base – it is not as bad as some people in infosec might think.”

“The biggest problem I see is the growing number of (uncontrolled) plugins,” the researcher explained. “A good suggestion would be to make an application filter in the WordPress core that forces a CSRF token on every CRUD [create, read, update, and delete] request to reduce the remote factor of issues.”

Related: Hacked WordPress Sites Target Random Users

Related: C99 Webshell Increasingly Used in WordPress Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.