80K Retail WooCommerce Sites Exposed by Plugin XSS Bug

December 4, 2021

Introduction

Recently, the plugin name “Variation Swatches for WooCommerce,” installed across 80,000 on Word Press-powered retail websites, found vulnerable to stored Cross-Site Scripting (XSS) security vulnerability that could allow cyber attackers to inject malicious web scripts and hack the whole website. Also, this issue made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript codes that could execute when a site owner accessed the settings location of the Variation Swatches plugin” explained Chloe Chamber land, the Word fence researcher.

The Variation Swatches plugin is designed to permit retailers to use the WooCommerce platform for WordPress websites to expose distinct variations of the same product, like garments in numerous distinctive colors and sizes. But unfortunately, the vulnerable versions can also give regular user administrative permissions like customers or subscribers can get entry to the plugin’s settings, according to researchers from Wordfence.

Main Concern

The vulnerability exists because of the plugin that depends upon various AJAX actions to manage the settings, which are not securely implemented. This allowed even a normal user with minimal permissions to execute those AJAX actions associated with the vulnerable functions.

Giving normal users access to the “tawcvs_save_settings” function is particularly concerning because the access can be used by a normal user to update the plugin’s settings and inject malicious code that would execute every time whenever a website owner access the settings location of the Variation Swatches plugin.

As constantly, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor security vulnerability, which would grant the attacker the capability to hack the website completely.

Our Recommendations

The plugin developers have fixed the issue and released a patched version of the extension, urging all its users to make sure their installations are fully updated. So, to mitigate this, it is recommended to update the sites with the fully patched version-(2.1.2) of the Variation Swatches plugin for WooCommerce.
Also, it is recommended to use WordPress security plugins along with the web applications to protect your websites from cyber attacks.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

80K Retail WooCommerce Sites Exposed by Plugin XSS Bug

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure