Cybersecurity researchers have helped patch a security flaw in a popular WordPress plugin, which made it possible for an attacker to inject rogue JavaScript scripts into the plugin’s settings.
Discovered by WordPress security experts at Wordfence, the vulnerability exists in the Variation Swatches for WooCommerce plugin, an extension for the popular WooCommerce plugin that enables ecommerce sites to display and sell multiple variations of a single product.
The plugin has a user base of 80,000 installations that were affected by the stored cross-site scripting (XSS) vulnerability
“This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin,” explains Chloe Chamberland, Wordfence researcher.
Site takeover
Chamberland says the vulnerability exists because the plugin relies on various AJAX actions for managing settings, which weren’t implemented securely. This allowed even the lowest authenticated user with minimal permissions to execute AJAX actions associated with the vulnerable functions.
“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site,” said Chamberland, commenting on the implications of the bug.
The developers of the plugin have fixed the flaw and released a patched version of the extension, urging all its users to make sure their installations are fully updated.
