WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress. According to WooCommerce, the plugin now powers over 30% of all online stores running WordPress with over one million downloads.
FortiGuard Labs discovered another Cross-Site Scripting (XSS) vulnerability in WooCommerce. FortiGuard disclosed a different XSS vulnerability in WooCommerce earlier this year, leading Fortinet’s Chris Dawson to ask if it was time to worry about WordPress. As he pointed out,
More often than not, though, plugins don’t get updated simply because WordPress lends itself to a “set it and forget it” mentality. Get everything working, install the extra bits you need, and go on about running your business, not worrying about your website. This ease of use and overall reliability is fantastic for WordPress users, but the false sense of security it creates is a recipe for disaster.
This new vulnerability is caused due to insufficiently sanitizing user-supplied inputs in the product sale price. It could allow remote attackers to launch an XSS attack to gather a user’s sensitive information for further attack, redirect a victim’s browser to malicious website, etc.
When submitting a product information update request, vulnerable versions of WooCommerce don’t sanitize the value of product sale price on the server side so that the injected code is also included in the product web page. It can be exploited to attack innocent users visiting the tampered product web page. Any user with edit or higher permission could exploit this vulnerability.
In our proof of concept, we were able to craft a request that, when sent to WordPress WooCommerce, generated a new page and sent it back to the browser. The new web page contains the injected code that can be automatically executed in the browser.
WooCommerce version 2.4.8 and before should upgrade to the latest version of WooCommerce. Networks and users who have deployed Fortinet IPS are automatically protected from this vulnerability by IPS Signature: WordPress.WooCommerce.Plugin.Product.Price.XSS.
Thanks to Fortinet’s FortiGuard Labs for discovering this vulnerability.