Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension


If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.

A WordPress security company—called “Plugin Vulnerabilities“—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

To be clear, the reported unpatched vulnerability doesn’t reside in the WordPress core or WooCommerce plugin itself.

Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites.

The vulnerability in question is an “arbitrary file upload” issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

If exploited, the flaw could allow attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

wordpress woocommerce security plugin

WooCommerce Checkout Manager version 4.2.6, which is the latest available plugin at the time of writing, is vulnerable to this issue.

If your WordPress website is using this plugin, you are advised to either disable “Categorize Uploaded Files” option in the setting or disable the plugin completely until a new patched version becomes available.

This is not the first time when the company called Plugin Vulnerabilities inappropriately disclosed an unpatched flaw in the public.

The company has continuously been disclosing vulnerabilities in various WordPress plugins since after they had issues with the WordPress forum moderators.

Since at least past two years the team behind Plugin Vulnerabilities has deliberately been releasing details of newly discovered vulnerabilities directly on the WordPress Support forum, instead of reporting them to the respective plugin authors directly, violating the forum’s rules.

In response to this inappropriate behavior, the moderators eventually blacklisted Plugin Vulnerabilities from their official forum after multiple warnings and banning all their accounts.

However, this did not stop Plugin Vulnerabilities, who since then started disclosing details of new, unpatched WordPress plugin vulnerabilities on their own website, putting the whole ecosystem, websites and their users at risk.


Laisser un commentaire

Next Post

Over 23 million breached accounts were using ‘123456’ as password

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password. Security experts at the United Kingdom’s National Cyber Security Centre (NCSC) analyzed the 100,000 most-commonly re-occurring breached passwords using data from Have I Been Pwned(HIBP). Have I Been Pwned […]