Security Flaw Found In WooCommerce WordPress Plugin

woocommerce flaw

Sucuri researchers have found a security vulnerability (object injection) in WooCommerce WordPress plugin that could allow attackers to download arbitrary files from the vulnerable server, such as databases with login information.

You might also like: Network Spoofer - Android App For Hackers

About WooCommerce Plugin

WooCommerce Plugin is the a complete eCommerce solution for the CMS that allows users to sell anything through their websites. According to WooThemes, the plugin has more than 1 million active users.


Object Injection Flaw

The "object injection" vulnerability is only present when WooCommerce's "PayPal Identity Token" option is set, says researchers.

You might also like: dSploit - Android App For Hackers

During the tests the researchers managed to exploit the bug by using a combination of WordPress and WooCommerce components with a known PHP bug (CVE-2013-1643) and downloaded critical files like wp-config.php, which contains the database credentials and WordPress secret keys.

Marc-Alexandre Montpas, a security researcher at Sucuri said in a blog post, "It is worth noting that even if your site doesn't run on top of an old version of PHP a lot of different attack vectors an attacker could be used depending on what extensions you have available."

"There's also a couple other bugs related to PHP itself that we could have investigated, but we decided to stick with CVE-2013-1643 because it's widely documented and relatively simple to recreate."

If you are using the vulnerable version of the plugin, update it as soon as possible.

Patched version: 2.3.11.

1 comment :

  1. Great article. I learned more things about woocommerce Thanks for sharing.
    WooCommerce Development Services

    ReplyDelete

Powered by Blogger.