The company that supervises WordPress and WooCommerce development, Automattic, has patched a persistent XSS (cross-site scripting) vulnerability in the WooCommerce e-commerce plugin for WordPress.
This was an important and crucial fix as the vulnerability could potentially have affected over 1 million e-commerce stores built using the plugin on the WordPress blogging platform.
This month (July, 2016), the Summer of Pwnage event is underway which aims to find bugs and vulnerabilities in Open Source software and this year they targeted WordPress and its plugins.
And, during the event, a security researcher for Securify, Cengiz Han Sahin, discovered a vulnerability in the WooCommerce plugin. (He also identified a vulnerability in the All In One SEO Pack plugin)
The XSS Payload Is Delivered By Malicious images
WooCoomerce pulls metadata from uploaded images and uses it as the title and description fields shown as captions near images on the store’s frontend. The vulnerability takes advantage of this. You can read a technical explanation here.
Anyone can edit the metadata for an image, so all a hacker has to do is place an XSS payload in an image’s metadata fields and then trick or otherwise convince a webmaster into using the malicious image on their site. That image could be a product image, for example, or some other image used in a product image gallery.
When the WooCommerce plugin displays the image, either in the WordPress admin area on on the site itself, the malicious code gets executed and carries out the desired attack.
XSS issues are the perfect way of launching and injecting all kinds of attacks on online applications. A hacker only needs the right payload to start stealing cookies or CSRF tokens in order to take over admin accounts and, indirectly, the site.
Sahin said that they only tested WooCommerce version 2.6.2 against this vulnerability, so earlier versions of the plugin are probably equally as vulnerable to attack. Since the issue was found, the WooCommerce team put out version 2.6.3 to fix the problem.
Is WordPress Also Affected?
WordPress also uses image metadata to populate image titles and descriptions when you upload an image to your site. So the question arose as to whether WordPress itself also suffered from the WooCommerce vulnerability.
As it turns out, the WordPress developers do use the same kind of data sanitization techniques as the WooCommerce plugin. However, WooCommerce double-encodes data and this is where the XSS bug lay. Since WordPress doesn’t double-encode its image data, it does not have the bug.
This image (click it for a larger view) shows how an attacker could edit an image’s metadata to add their malicious payload:
Filed under: WordPress Security