Developers of the Discount Rules for WooCommerce WordPress plugin have revealed for the third time a security patch to address two high-severity cross-site scripting (XSS) flaws that could be exploited by an attacker to hijack a targeted site.
Administrators of e-stores using the WordPress plugin Discount Rules for WooCommerce have to apply the patch as soon as possible. The development team behind the plugin attempted to address the same issues for two times, a first patch was released on August 22 and a second one on September 2, but both failed to fix the vulnerabilities.
The third round of security fixes was released on September 9, and now researchers from Wordfence publicly disclosed technical details of the flaws.
“On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. We released a firewall rule to protect against these vulnerabilities the same day.” reads the analysis published by Wordfence. “During our investigation, we also discovered a separate set of vulnerabilities in the plugin that were not yet patched, and released a firewall rule to protect against these separate vulnerabilities the next day, on August 21, 2020.”
The vulnerabilities that were initially addressed in the plugin were AJAX actions present in the “v2” codebase of the plugin that allowed any site visitor to add, modify, and delete these rules, allowing them to access any existing coupons.
On August 20, Wordfence experts reported the issues in the V2 of of Discount Rules for WooCommerce to Flycart, the development team behind the plugin.
“The vulnerabilities that were originally patched in the plugin were AJAX actions present in the “v2” codebase of the plugin that allowed any site visitor to add, modify, and delete these rules and view any existing coupons. Unfortunately, the plugin maintained a separate “v1” codebase containing an earlier version of this functionality.” continues the analysis. “Anyone visiting the site could switch between the v1 and v2 codebase by visiting any page on the site and adding a awdr_switch_plugin_to query string parameter set to v1 or v2.”
The second patch released in early September addressed the flaws but left the version switching functionality vulnerable to cross-site request forgery attacks. On September 9, Fylcart released a patch that addressed both Discount Rules for WooCommerce issues.
Experts strongly recommend updating to the latest version of this plugin, version 2.2.1, as soon as possible.
(SecurityAffairs – hacking, Discount Rules for WooCommerce)