Unpatched flaw in WooCommerce Checkout
An unpatched flaw in a popular WordPress plugin called the WooCommerce Checkout Manager extension is putting more than 60,000 websites at risk according to researchers. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic. According to Luka Sikic with WebArx Security, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin.
On Friday, the plugin has been removed from the WordPress plugin repository. The plugin was closed on April 26, 2019 and is no longer available for download. This still leaves about 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers. Plugin Vulnerabilities published a proof of concept outlining an attack on an arbitrary file upload vulnerability in WooCommerce Checkout Manager. The disclosed vulnerability exists because the plugin's Categorize Uploaded Files option does not check privileges or permissions before files are uploaded. As a result, hackers can upload and then execute malicious files. Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn't require a hacker to be registered on the site.
The number of plugins being exploited in a massive campaign is increasing, with the WooCommerce Checkout Manager the latest plugin to be exploited. The WooCommerce Checkout Manager is only the latest plugin to have a disclosed vulnerability. Researchers continue to see an increase in the number of plugins attacked as part of a campaign that's been active for a long time. Hackers have added more vulnerable plugins to inject similar malicious scripts. Other plugins recently added to the attack include WP Inventory Manager and Woocommerce User Email Verification. That’s on top of others, including Social Warfare, Yellow Pencil Visual Theme Customizer, and Yuzo Related Posts.
Researchers are urging plugin users to disable the plugin completely or disable the Categorize Uploaded Files option on the plugin settings page. Hackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components it is highly encouraged to keep software up to date to prevent any infection.