Cybersecurity researchers have helped patch a security flaw in a popular WordPress plugin, which could be exploited by attackers to take over a website.
Discovered by Wordpress security experts Wordfence, the vulnerability exists in the “Preview E-mails for WooCommerce” plugin, which as its name suggests is an extension for the popular WooCommerce plugin, which is popularly used for quickly and easily rolling out an online store within an existing Wordpress website.
The “Preview E-mails for WooCommerce” plugin gives site owners the ability to preview emails before they are sent to customers via WooCommerce, and boasts of an installation base of over 20,000 websites.
Unchecked input
According to Wordfence’s threat analyst Chloe Chamberland, attackers could exploit the flaw to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.
Explaining the working of the vulnerability, tracked as CVE-2021-42363, she says that it existed because a key component of the affected plugin didn’t sanitize the input, giving attackers the opportunity to inject malicious code.
“This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site,” explains Chamberland.
Technically known as a reflected cross-site scripting (XSS) vulnerability, Wordfence brought it to the attention of the plugin’s developer who released a patch to address it in just over a week.
Easily build a website with these best Wordpress website builders, and use one of the best Wordpress ecommerce plugins to construct an online store without much effort
