Updated A vulnerability in the WooCommerce online store platform, used by over four million vendors, can be exploited to hijack WordPress installations hosting the software.
Researchers at RIPSTech discovered and reported the flaw directly to WooCommerce's developers, who cleaned up the bug in version 3.4.6 – so make sure you're running that.
If exploited, the bug allows users with a shop manager account in WooCommerce the ability to delete files on the server and, possibly, take over admin accounts. That means rogue employees, or someone with access to their accounts, could vandalize or tamper with the host website, and so on.
"The way WordPress handles privileges is by assigning certain capabilities to different roles," explained RIPSTech researcher Simon Scannell
"When the shop manager role is defined, it is assigned the edit_users capability so that they are allowed to edit customer accounts of the store. This happens during the installation process of the plugin."
The plugin then tries to limit these store managers so that they can only alter customer accounts, and not edit admin accounts.
Couldn't give a fsck about patching? Well, that's your WordPress website pwned, thenREAD MORE
The researchers found, however, that there was a design flaw: the shop manager role with its edit_users capability is defined directly in WordPress, while the access controls limiting managers was handled by WooCommerce. This means that if a store manager account can shut down the WooCommerce plugin, the user would have full editing ability over all WordPress accounts.
Disabling WooCommerce turned out to be trivial, thanks to WooCommerce also having an arbitrary file deletion flaw. Deleting woocommerce.php disables the plugin, and from there, it's party time for bad guys.
While the bug would be bad in any context, it is especially risky as it can be performed with what is essentially an end-user account. Store managers would not typically have extensive infosec training, and could be susceptible to things like phishing or cross-site-scripting attacks.
As RIPSTech points out, the bug also shows how WordPress, a platform that has its own share of security vulnerabilities, can also be left exposed to attack by flaws in its plugins.
Needless to say, admins should make sure they are running the patched version of WooCommerce. ®
Updated to add
"We've received no reports that this vulnerability was exploited," WooCommerce told The Reg in a statement.
"The vulnerability was discovered in the latest version of WooCommerce, so all stores with shop managers were affected. Not all stores have shop managers; only well-established stores with employees would need users with that role. To exploit this vulnerability an attacker would need to be logged in as a user with the shop manager role. Shop manager is inherently a high-trust role that should be given with care."