A critical vulnerability affects eCommerce website running on WordPress and using the WooCommerce plugin. WooCommerce is one of the major eCommerce plugins for WordPress that allows operators to easily build e-stores based on the popular CMS, it accounts for more than 4 million installations with 35% market share.
The vulnerability is an arbitrary file deletion vulnerability that could be exploited by a malicious or compromised privileged user to take over the online store.
The flaw was discovered by Simon Scannell, a researcher at RIPS Technologies GmbH,
“A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations.” reads the security advisory published by RIPSTECH.
“The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.”
The vulnerability was already fixed with the release of the plugin version 3.4.6.
Scannell pointed out that arbitrary file deletion flaws aren’t usually considered critical issues because attackers use them to cause is a Denial of Service condition by deleting the index.php of the website. Anyway, the expert highlighted that deleting certain plugin files in WordPress an attacker could disable security checks and take over the e-commerce website.
The expert published a video PoC that shows how to exploit the flaw allowing an account with “Shop Manager” role to reset administrator accounts’ password and take over the store.
The installation process of the plugin creates “Shop Managers” accounts with “edit_users” permissions, this means that these accounts can edit store customer accounts to manage their orders, profiles, and products.
The expert pointed out that an account with “edit_users” in WordPress could also edit an administrator account, for this reason, the WooCommerce plugin implements some extra limitations to prevent abuses.
Scannell discovered that an administrator of a WordPress website disables the WooCommerce component, the limitations that the plugin implements are no more valid allowing Shop Manager accounts to edit and reset the password for administrator accounts.
The expert explained that an attacker that controls a Shop Manager account can disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.
“By default, only administrators can disable plugins. However, RIPS detected an arbitrary file deletion vulnerability in WooCommerce. This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it.” continues the post.
“The file deletion vulnerability occurred in the logging feature of WooCommerce.”
Once the flaws are exploited the WooCommerce plugin gets disabled, the shop manager can take over any administrator account and then execute code on the server.
Below the timeline for the flaw:
|2018/08/30||The Arbitrary File Deletion Vulnerabiliy was reported to the Automattic security team on Hackerone.|
|2018/09/11||The vulnerability was triaged and verified by the security team.|
|2018/10/11||A patch was released.|
The Automattic security team addressed the flaws with the release of the plugin version 3.4.6.