Serious WordPress plugin vulnerability puts thousands of sites at risk

Bug existed in an extension to the popular WooCommerce plugin

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have helped patch a security flaw in a popularWordPress plugin, which made it possible for an attacker to inject rogueJavaScriptscripts into the plugin’s settings.

Discovered byWordpress securityexperts atWordfence, the vulnerability exists in the Variation Swatches for WooCommerce plugin, an extension for the popularWooCommerce pluginthat enablesecommercesites to display and sell multiple variations of a single product.

The plugin has a user base of 80,000 installations that were affected by the stored cross-site scripting (XSS) vulnerability

“This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin,” explains Chloe Chamberland, Wordfence researcher.

Site takeover

Site takeover

Chamberland says the vulnerability exists because the plugin relies on various AJAX actions for managing settings, which weren’t implemented securely. This allowed even the lowest authenticated user with minimal permissions to execute AJAX actions associated with the vulnerable functions.

“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site,” said Chamberland, commenting on the implications of the bug.

The developers of the plugin have fixed the flaw and released a patched version of the extension, urging all its users to make sure their installations are fully updated.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This dangerous new malware is hitting Windows devices by hiding in games

Windows PCs targeted by new malware hitting a vulnerable driver

Steps to take when your phone number is publicly listed online