XSS Bug in Plugin Has Exposed 80K Retail WooCommerce Sites

XSS Bug in Plugin Has Exposed 80K Retail WooCommerce Sites

The plugin “Variation Swatches for WooCommerce,” used on 80,000 WordPress-powered retail sites, contains a stored cross-site scripting (XSS) security flaw that might allow cyber criminals to inject malicious web scripts and take control of the site.

Variation Swatches is a WordPress plugin that allows businesses using the WooCommerce platform to display several variations of the same product, like a sweater in various colors. According to Wordfence experts, insecure versions can also offer individuals without administrator capabilities — such as customers or subscribers — access to the plugin’s settings.

In a recent blog post, Wordfence’s Chloe Chamberland explained that the plugin registered the ‘update_product_attr_type, ‘tawcvs_save_settings,’ ‘update_attribute_type_setting,’  methods ‘ which were all connected to various AJAX operations. All three functions lacked capability checks and nonce checks, which safeguard against cross-site request forgery.

Providing low-permissioned users access to the “tawcvs_save_settings” function is especially troubling, she added, since it may be used to change the plugin’s settings and insert malicious web scripts that would run anytime a site owner opened the plugin’s settings page. Until Nov. 23, when it was patched in the updated 2.1.2 version, the vulnerability (CVE-2021-42367) impacted all plugin users.

Users of WordPress are already dealing with a slew of problems, mishaps, and hacks. For example, GoDaddy, the world’s largest domain registrar, was hacked last week, affecting 1.2 million consumers and GoDaddy Managed WordPress resellers.

Another flaw in a WordPress plugin allowed attackers to show a false ransomware encryption message asking $6,000 to unlock the site in mid-November. The threat was null and void; all victims had to do was uninstall the plugin; nevertheless, had the perpetrators used actual ransomware, the consequences may have been disastrous.

In late October, a problem in the Hashthemes Demo Importer product was identified, allowing users with minimal subscription access to wipe sites clean of all content. According to Chamberland, users should upgrade their websites with the modified version of the Variation Swatches for WooCommerce to minimize this current plugin fault.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.