Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites.
WooCommerce is one the most popular eCommerce plugins for WordPress that helps websites to upgrade their standard blog to a powerful online store. WooCommerce powers nearly 35% of e-stores on the internet, with more than 4 million installations.
Exploiting WooCommerce File-Deletion and WordPress Design Flaws
The attack demonstrated in the following video takes advantage of the way WordPress handles user privileges and WooCommerce file deletion vulnerability, allowing an account with “Shop Manager” role to eventually reset administrator accounts’ password and take complete control over the website.
When installed, WooCommerce extension creates “Shop Managers” accounts with “edit_users” capability, allowing them to edit customer accounts of the store in order to manage their orders, profiles, and products.
In WordPress, an account with “edit_users” capability by default allowed to even edit an administrator account and reset its password. But to draw a permission-based line between an administrator and a shop manager account, the WooCommerce plugin adds some extra limitations on the shop managers.
However, the researcher discovered that if WordPress admin, for some reason, disables the WooCommerce plugin, its configuration that mandated the limitation goes away, allowing Shop Manager accounts to edit and reset the password for administrator accounts.
Now, according to Simon, a malicious Shop Manager can forcefully disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.
“This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it,” Simon explains in a blog post.
Once the file is deleted, the WooCommerce plugin gets disabled, allowing shop managers to update the password for the administrator account and then take over the complete website.
Install WooCommerce and WordPress Patch Updates
The researcher responsibly reported the security issues to the Automattic security team, who manages the WooCommerce plugin, via Hackerone on 30, August 2018. The team acknowledged the flaws and fixed them in Woocommerce version 3.4.6 last month.
If you haven,t yet updated your WordPress and Woocommerce, you are highly recommended to install the latest available security updates as soon as possible.