According to WordPress resource WPKube, “WordPress is used on over 75 million websites. This number includes everything from small personal websites to big corporations like Walt Disney, Microsoft, Sony, or The New York Post.” The WordPress plugin repository includes almost 60,000 plugins, and it is no surprise that vulnerabilities arise from the sheer amount of potential flaws in so many third-party external plugins. This time, a critical vulnerability and the related fix were posted on The Ninja Technologies Network NinTechNet’s blog on July 26th, 2021.
The WooCommerce Plugin Vulnerability
According to fresh news from NinTechNet, a cybersecurity blog for both professional business and personal blogs, a release report for the “WordPress Advanced Shipment Tracking for WooCommerce” (AST) plugin vulnerability was made public today, on July 26th, 2021. The report states that the plugin had over 50,000 active installations and that the affected versions were 3.2.4.1 and below, as well as 3.2.6. This means that over 50,000 websites were using this plugin and were potentially vulnerable. The AST plugin facilitates management and automation of WooCommerce fulfillment workflow such as the ability to add tracking information, order information, and keep customers informed. The plugin claims to benefit the efficacy of post-shipping inquiries as well as increase customer satisfaction.
Technical Details Surrounding The Plugin Vulnerability
The vulnerability has been marked as critical, with a score of 9.9 on the CVSS scale (the Common Vulnerability Scoring System scale). The plugin vulnerability stems from the ‘WordPress Advanced Shipment Tracking for WooCommerce’ plugin. Timeline details reveal that the vulnerability was reported to the authors on June 23, 2021. Following this event, version 3.2.5 was released to mitigate the primary flaw instance. Subsequently, it was discovered that 3.2.5 could still be compromised. According to the release report on the blog, “Several functions in the plugin were accessible to any logged-in users.” As a result, versions 3.2.6 and 3.2.7 were released respectively on July 22nd and July 23rd, 2021.
Lack of Capability Check And Security Nonce Spells Danger
According to the NinTechNet blog release report, the plugin flaw is a vulnerability in the PHP script around a function that is used for “saving options to the WordPress options table in the database.” Furthermore, “It doesn’t validate inputs and as it lacks a capability check and a security nonce, it is accessible to all authenticated users and WooCommerce customers.” The flaw can allow “any array (and integer) data in the WordPress options table” to be “altered” with the “AJAX action”. This means that traffic can be redirected to a malicious external website, by any authenticated user. The following possible exploitations of the flaw were also reported;
Create an administrator account by enabling registration and activating the administrator role Changing the administrator role’s email address Activation and deactivation of plugins
A Fix Was Released Today
Information about the new fix for the plugin vulnerability was released to the public today on July 26th, 2021. NinTechNet recommends that users immediately upgrade if they have versions 3.2.6 or below installed currently. It is strongly recommended that all users run version 3.2.7 of the Advanced Shipment Tracking for WooCommerce plugin for the moment. The good news is that, if users already have a web application firewall for WordPress such as the NinjaFirewall WP Edition (free or premium editions), they are fully protected and need not worry. In general, it is recommended that users always check back on the NinTechNet blog and official WordPress website for further information.
