Serious WordPress plugin vulnerability puts thousands of sites at risk

Someone typing at a keyboard, with an ecommerce shopping cart symbol floating in the air.
(Image credit: Song_About_Summer / Shutterstoc)

Cybersecurity researchers have helped patch a security flaw in a popular WordPress plugin, which made it possible for an attacker to inject rogue JavaScript scripts into the plugin’s settings.

Discovered by Wordpress security experts at Wordfence, the vulnerability exists in the Variation Swatches for WooCommerce plugin, an extension for the popular WooCommerce plugin that enables ecommerce sites to display and sell multiple variations of a single product.

The plugin has a user base of 80,000 installations that were affected by the stored cross-site scripting (XSS) vulnerability

“This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin,” explains Chloe Chamberland, Wordfence researcher.

Site takeover 

Chamberland says the vulnerability exists because the plugin relies on various AJAX actions for managing settings, which weren’t implemented securely. This allowed even the lowest authenticated user with minimal permissions to execute AJAX actions associated with the vulnerable functions. 

“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site,” said Chamberland, commenting on the implications of the bug.

The developers of the plugin have fixed the flaw and released a patched version of the extension, urging all its users to make sure their installations are fully updated.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.