NEW YORK, NY – If you’re running a WordPress website and are utilizing the popular WooCommerce plugin, a shopping cart used by roughly four-million sites, there is a new vulnerability which requires that your WooCommerce plugin be up to date, or users marked as “Shop Managers” could hijack your site and virtually wipe out all data by compromising your administrator account.
This new vulnerability was first reported to WordPress and WooCommerce in August when it was discovered by researchers at RIPSTech, a PHP Security Analysis firm in Germany. It was then addressed and fixed in WooCommerce version 3.4.6.
When the shop manager role is defined, it is assigned the edit_users capability so that they are allowed to edit customer accounts of the store. This happens during the installation process of the plugin.”
The flaw was caused by the editing capability of shop managers as while WooCommerce is active, shop managers can only edit the users defined as being within the WooCommerce environment, but RIPS researchers found that if WooCommerce was disabled, these editing capabilities were extended to all users created in WordPress, allowing a hacker to takeover of an administrator account.
…there was a design flaw: the shop manager role with its edit_users capability is defined directly in WordPress, while the access controls limiting managers was handled by WooCommerce. This means that if a store manager account can shut down the WooCommerce plugin, the user would have full editing ability over all WordPress accounts.
Not all plugin users update as frequently as they should for fear of breaking customizations or WooCommerce templates, but if you are running an installation of WooCommerce it is critical you update it and are running at least WooCommerce version 3.4.6.
However, if you are running a any WordPress powered website, you need to make sure it and all of your plugins are always up to date. There is just too much vulnerability out there to not update your CMS and plugins immediately when a release comes out. I recommend all WordPress sites use a free security plugin called WordFence, which will alert you to all vulnerabilities in your WordPress site and continually scan files and notify you of necessary action items, injection attempts while helping keep your site safe and secure.
Both WordPress and WooCommerce are owned by a company called Automattic Inc. If you would like to dive deeper into the vulnerability RIPS Technologies Security Researcher Simon Scannell goes into great detail on the flaw here.
About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®