Mobile SEO

Vulnerabilities Found in 5 WooCommerce WordPress Plugins


The U.S authorities Nationwide Vulnerability Database (NVD) revealed warnings of vulnerabilities in 5 WooCommerce WordPress plugins affecting over 135,000 installations.

Lots of the vulnerabilities vary in severity to as excessive as Important and rated 9.8 on a scale of 1-10.

Each vulnerability was assigned a CVE identification quantity (Frequent Vulnerabilities and Exposures) given to found vulnerabilities.

1. Superior Order Export For WooCommerce

The Superior Order Export for WooCommerce plugin, put in in over 100,000 web sites, is susceptible to a Cross-Web site Request Forgery (CSRF) assault.

A Cross-Web site Request Forgery (CSRF) vulnerability arises from a flaw in an internet site plugin that permits an attacker to trick an internet site person into performing an unintended motion.

Web site browsers usually comprise cookies that inform an internet site {that a} person is registered and logged in. An attacker can assume the privilege ranges of an admin. This provides the attacker full entry to an internet site, exposes delicate buyer info, and so forth.

This particular vulnerability can result in an export file obtain. The vulnerability description doesn’t describe what file will be downloaded by an attacker.

Provided that the plugin’s objective is to export WooCommerce order knowledge, it might be affordable to imagine that order knowledge is the type of file an attacker can entry.

The official vulnerability description:

“Cross-Web site Request Forgery (CSRF) vulnerability in Superior Order Export For WooCommerce plugin <= 3.3.2 on WordPress resulting in export file obtain.”

The vulnerability impacts all variations of the Superior Order Export for WooCommerce plugin which might be lower than or equal to model 3.3.2.

The official changelog for the plugin notes that the vulnerability was patched in model 3.3.3.

Learn extra on the Nationwide Vulnerability Database (NVD): CVE-2022-40128

2.  Superior Dynamic Pricing for WooCommerce

The second affected plugin is the Superior Dynamic Pricing plugin for WooCommerce which is put in in over 20,000 web sites.

This plugin was found to have two Cross-Web site Request Forgery (CSRF) vulnerabilities that have an effect on all plugin variations lower than 4.1.6.

The aim of the plugin is to make it straightforward for retailers to create low cost and pricing guidelines.

The primary vulnerability (CVE-2022-43488) can result in a “rule kind migration.”

That’s considerably obscure. Maybe an assumption will be made that the vulnerability might have one thing to do with the power to vary the pricing guidelines.

The official description offered on the NVD:

“Cross-Web site Request Forgery (CSRF) vulnerability in Superior Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulting in rule kind migration.”

Learn extra on the NVD: CVE-2022-43488

The NVD assigned the second CSRF vulnerability within the Superior Dynamic Pricing for WooCommerce plugin a CVE quantity, CVE-2022-43491.

The official NVD description of the vulnerability is:

“Cross-Web site Request Forgery (CSRF) vulnerability in Superior Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulting in plugin settings import.”

The official plugin changelog notes:

“Changelog – 4.1.6 – 2022-10-26

Mounted some CSRF and damaged entry management vulnerabilities”

Learn the official NVD announcement: CVE-2022-43491

3. Superior Coupons for WooCommerce Coupons plugin

The third affected plugin, Superior Coupons for WooCommerce Coupons, has over 10,000 installs.

The issue found on this plugin can also be a CSRF vulnerability and impacts all variations lower than 4.5.01.

The plugin changelog calls the patch a bug repair?

“4.5.0.1

Bug Repair: The getting began discover dismiss AJAX request has no nonce worth.”

The official NVD description is:

“Cross-Web site Request Forgery (CSRF) vulnerability in Superior Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress main to note dismissal.”

Learn extra on the NVD: CVE-2022-43481

4. WooCommerce Dropshipping by OPMC – Important

The fourth affected software program is the WooCommerce Dropshipping by OPMC plugin which has over 3,000 installations.

Variations of this plugin lower than model 4.4 comprise an Unauthenticated SQL injection vulnerability rated 9.8 (on a scale of 1-10) and labeled as Important.

Basically, a SQL injection vulnerability permits an attacker to control the WordPress database and assume admin-level permissions, make modifications to the database, erase the database, and even obtain delicate knowledge.

The NVD describes this particular plugin vulnerability:

“The WooCommerce Dropshipping WordPress plugin earlier than 4.4 doesn’t correctly sanitise and escape a parameter earlier than utilizing it in a SQL assertion through a REST endpoint obtainable to unauthenticated customers, resulting in a SQL injection.”

Learn extra on the NVD: CVE-2022-3481

Learn the official plugin changelog.

5. Position Based mostly Pricing for WooCommerce

The Position Based mostly Pricing for WooCommerce plugin has two Cross-Web site Request Forgery (CSRF) vulnerabilities. There are 2,000 installations of this plugin.

As talked about about one other plugin, a CSRF vulnerability usually includes an attacker tricking an admin or different person to click on a hyperlink or carry out another motion. That can lead to the attacker gaining the person’s web site permission ranges.

This vulnerability is rated 8.8 Excessive.

The NVD description of the primary vulnerability warns:

“The Position Based mostly Pricing for WooCommerce WordPress plugin earlier than 1.6.2 doesn’t have authorisation and correct CSRF checks, and doesn’t validate recordsdata to be uploaded, permitting any authenticated customers like subscriber to add arbitrary recordsdata, similar to PHP”

The next is the official NVD description of the second vulnerability:

“The Position Based mostly Pricing for WooCommerce WordPress plugin earlier than 1.6.3 doesn’t have authorisation and correct CSRF checks, in addition to doesn’t validate path given through person enter, permitting any authenticated customers like subscriber to carry out PHAR deserialization assaults after they can add a file, and an appropriate gadget chain is current on the weblog”

The official Position Based mostly Pricing for WooCommerce WordPress plugin changelog advises that the plugin is absolutely patched in model 1.6.2:

“Changelog 2022-10-01 – model 1.6.2

* Mounted the Arbitrary File Add Vulnerability.

* Mounted the difficulty of ajax nonce test.”

Learn the official NVD documentation:

CVE-2022-3537

CVE-2022-3536

Course of Motion

It’s thought-about a very good apply to replace all susceptible plugins. It’s additionally a greatest apply to again up the location earlier than making any plugin updates and (if doable) to stage the location and check the plugin earlier than updating.


Featured picture by Shutterstock/Master1305



What's your reaction?

Leave A Reply

Your email address will not be published. Required fields are marked *