Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site.
WooCommerce’s four million plus users were first alerted to the issue a few weeks back in the release notes for the updated version:
Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions.
This week, PHP security company RIPS Technologies published the research that led to this warning which gives WooCommerce and WordPress admins more of the gory detail.
There are two parts to the vulnerability, the first of which the researchers describe as a “design flaw in the privilege system of WordPress.”
The second, in WooCommerce itself, is an apparently simple file deletion vulnerability affecting versions 3.4.5 and earlier.
Which of the two is the bigger issue will depend on whether you worry more about a site’s e-commerce function or happen to be its admin – either way, the combination spells trouble.
The vulnerability
After gaining access via a phishing attack or as an inside job, an attacker could use a weakness in the log file deletion routine to delete woocommerce.php, taking down the site and causing WordPress to disable the plugin.
This, RIPS Technologies researcher Simon Scannell discovered, would be enough for any WooCommerce user with a Shop Manager account and an understanding of what they’d just done to compromise the entire site.
But how?
When WooCommerce is installed, the Shop Manager role is assigned the potent edit_users capability needed to edit customer accounts, which is stored by WordPress itself.
Because this could be used to edit the WordPress site’s admin account too, its scope is limited by a special WooCommerce ‘meta capability’ filter.
Unfortunately, for WordPress to apply this safeguard the plugin needs to be active – which it wouldn’t be if an attacker has exploited the WooCommerce file deletion weakness.
Writes Scannell:
The meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with edit_users to edit any user, even administrators, would occur.
The WooCommerce account with Shop Manager privileges would then be able to elevate these to change the site’s password and with it control of the entire site.
What to do
On the WooCommerce side, ensure it has been upgraded to version 3.4.6, which appeared on 11 October. Plugins aren’t updated by default, which means admins will have to initiate this for themselves via the wp-admin dashboard/plugins sidebar.
As for the WooCommerce fix:
With this release, Shop Managers can only edit users with the Customer role by default, and there is a whitelist of roles that Shop Managers can edit.
Redesigning the way the WordPress permission system interacts with plugins might take a little longer.
For reasons as long as your arm, plugins have always been WordPress’s underbelly. The TL;DR is that they need constant tending as does the platform itself – never take either for granted.