• Home
  • Domains
  • Internet & Tech
  • Security & Privacy
  • Google & Search
  • Editorial Praise
  • Contact

Strategic Revenue - Domain and Internet News

Internet news authored by John Colascione

Register Domain Names

  • Isn’t Print Dead?
  • Killer Acquisition
  • New gTLD Death
  • Online Censorship
  • Gullible Domainers
  • You’re A Loser
You are here: Home / Security Issues / WordPress Vulnerability for Sites Running WooCommerce with “Shop Manager” Role

WordPress Vulnerability for Sites Running WooCommerce with “Shop Manager” Role

November 8, 2018 By John Colascione Leave a Comment

*** Here Is A List Of Some Of The Best Domain Name Resources Available ***






NEW YORK, NY – If you’re running a WordPress website and are utilizing the popular WooCommerce plugin, a shopping cart used by roughly four-million sites, there is a new vulnerability which requires that your WooCommerce plugin be up to date, or users marked as “Shop Managers” could hijack your site and virtually wipe out all data by compromising your administrator account.

This new vulnerability was first reported to WordPress and WooCommerce in August when it was discovered by researchers at RIPSTech, a PHP Security Analysis firm in Germany. It was then  addressed and fixed in WooCommerce version 3.4.6.

When the shop manager role is defined, it is assigned the edit_users capability so that they are allowed to edit customer accounts of the store. This happens during the installation process of the plugin.”

The flaw was caused by the editing capability of shop managers as while WooCommerce is active, shop managers can only edit the users defined as being within the WooCommerce environment, but RIPS researchers found that if WooCommerce was disabled, these editing capabilities were extended to all users created in WordPress, allowing a hacker to takeover of an administrator account.

…there was a design flaw: the shop manager role with its edit_users capability is defined directly in WordPress, while the access controls limiting managers was handled by WooCommerce. This means that if a store manager account can shut down the WooCommerce plugin, the user would have full editing ability over all WordPress accounts.

Not all plugin users update as frequently as they should for fear of breaking customizations or WooCommerce templates, but if you are running an installation of WooCommerce it is critical you update it and are running at least WooCommerce version 3.4.6.

However, if you are running a any WordPress powered website, you need to make sure it and all of your plugins are always up to date. There is just too much vulnerability out there to not update your CMS and plugins immediately when a release comes out. I recommend all WordPress sites use a free security plugin called WordFence, which will alert you to all vulnerabilities in your WordPress site and continually scan files and notify you of necessary action items, injection attempts while helping  keep your site safe and secure.

Both WordPress and WooCommerce are owned by a company called Automattic Inc. If you would like to dive deeper into the vulnerability RIPS Technologies Security Researcher Simon Scannell goes into great detail on the flaw here.

John Colascione 2024
John Colascione

About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®

Filed Under: Security Issues Tagged With: Administrator, Automattic Inc., CMS, Germany, Hacker, Hackers, PHP, Plugin, Plugins, RIPSTech, Security Analysis, Shop Manager, Shop Managers, User Roles, Vulnerability, WooCommerce, WordFence, WordPress, WordPress Plugin, WordPress Plugins

*** Here Is A List Of Some Of The Best Domain Name Resources Available ***






Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search This Site

by: John Colascione

John Colascione

Best Site for Things to Do While Visiting Florida
John Colascione is Chief Executive of Internet Marketing Services Inc. He specializes in Website Monetization, authored a book called Mastering Your Website, and is a key player in several Internet businesses through his brand SEARCHEN®

#Indiana.com

GEO domain name

Follow Me

John Colascione Twitter

The First Fiction Horror Story Based Entirely On An Internet Domain Name

The First Fiction Horror Story Based Entirely On An Internet Domain Name
A cyber thriller where the countdown to death is always ticking…

USED CARS ENTERPRISE

auto buyers market
Auto Buyers Market – Shop Used Cars by Participating Dealers at autobuyersmarket.com

In The News

  • DNJournal: New Book From Veteran Domainer
  • From Brandable to Exact-Match Geo Domain
  • InnovateLI: Two Deals, One Very Interesting Digital
  • Internet Commerce Association: John Colascione
  • NamesCon: Featured Attendee: John Colascione
  • Long Island Media Inc, SmartCEO, Future 50
  • Speakers, Name Summit, John Colascione
  • Speakers, Real Estate Summit, John Colascione
  • 24 Leading Domain Experts Analyze 2017

Popular Stories

New gTLD? Not So Fast; History Suggests New ‘Right of the Dots’ Could = Total Failure

Could Domain Investing Industry End with Legal Provision for Domain “Hoarding”

Did DuckDuckGo Just Acquire Premium Domain “Duck.com” from Google?

Websites and Domain Names to Become Insignificant within 20 Years or Less

Does the Domain Industry Suffer From Own Versions of Trumpted “Fake News” Stories?

Quotes to Follow

quote icon The domain name is equivalent to Gold. It is the only packaged item which is globally tax-free, portable, with value that is universal across different cultures. quote icon – Frank Schilling

quote icon Domains have and will continue to go up in value faster than any other commodity ever known to man. quote icon – Rick Schwartz

quote icon  Google knows you, your friends, your likes, what entertains you, where you are in the world at any given time. Google will soon predict your next action, your next thought, based on a collaboration of thoughts past. quote icon – John Colascione

Like These Headlines?

Enter your email address:

Delivered by FeedBurner

T.L.D. Brokerage

Domain Brokers

WHOIS Data Shrinks: GoDaddy’s Latest Move Reflects Post-GDPR Privacy Trend

PALM BEACH, FL - The public face of domain ownership is disappearing - and GoDaddy's latest announcement is just the latest proof. In an email sent to resellers today, GoDaddy announced it will no … [Read More...]

Google’s Search Market Share Dips Below 90% for First Time in Decade

MOUNTAIN VIEW, CA - Google's global search engine market share fell below 90% in the final quarter of 2024, marking the first time since 2015 that it has dipped under this threshold. Regional … [Read More...]

Records From 2024 AT&T Data Breach Are Once Again For Sale On The Dark Web

PALM BEACH, FL - A massive trove of nearly 90 million AT&T customer records, including Social Security numbers and other sensitive information, has resurfaced for sale on the dark web, reigniting … [Read More...]

Domaining blog recommended by Domaining.com

Copyright © 2010-2025 StrategicRevenue.com - Property of Internet Marketing Services Inc.   FeedBurner: RSS
By using this site you agree to our Terms of Service and Privacy Policy. If you do not agree, please exit the service.