WooCommerce issued a warning about an XSS vulnerability while Wordfence simultaneously reported a critical vulnerability in a WooCommerce plugin called Dokan Pro. The Dokan Pro advisory warned that an SQL injection vulnerability allows unauthenticated attackers to extract sensitive information from a website database.
Dokan Pro WordPress Plugin
The Dokan Pro plugin allows users to transform their WooCommerce website into a multi-vendor marketplace similar to sites like Amazon and Etsy. It currently has more than 50,000 installations. Plugin versions up to and including 3.10.3 are vulnerable.
According to WordFence, version 3.11.0 represents the fully patched and most secure version.
WordPress.org lists the current number of light version plugin installations at over 50,000 and a total number of installations at over 3 million. At this time, only 30.6% of installations were using the most up-to-date version, 3.11, which may mean that 69.4% of all Dokan Pro plugins are vulnerable.
Screenshot of Dokan plugin download statistics
The changelog does not show the vulnerability patch
The changelog is what tells users of a plugin what’s in an update. Most plugin and theme manufacturers will post a clear notice that an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including version 3.10.3. But the changelog notation for version 3.10.4 that was released on April 25, 2024 (which is supposed to be patched) shows no patch. The publisher of Dokan Pro and Dokan Lite may not have wanted to alert hackers to the critical vulnerability.
Screenshot of Dokan Pro changelog
CVSS score 10
The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a score that represents the severity of a vulnerability. The severity score is based on how exploitable it is, its impact, plus additional metrics such as security and urgency, which together add up to a total score ranging from least severe (1) to highest (10).
The Dokan Pro plugin received a CVSS score of 10, the highest severity level, meaning that any users of the plugin are advised to take immediate action.
Screenshot of Dokan Pro Vulnerability Severity Score
Description of the vulnerability
Dokan Pro has been found to contain an unauthenticated SQL injection vulnerability. There are authenticated and unauthenticated vulnerabilities. Unauthenticated means that an attacker does not need to acquire user credentials to launch an attack. Between the two types of vulnerabilities, unauthenticated is the worst case.
A WordPress SQL Injection vulnerability is one where a plugin or theme allows an attacker to manipulate the database. The database is the heart of every WordPress website, where all passwords, login names, posts, themes and plugin data. A vulnerability that allows anyone to manipulate the database is quite serious; this is really bad.
This is how Wordfence describes it:
“The Dokan Pro plugin for WordPress is vulnerable to SQL injection via the ‘code’ parameter in all versions up to and including 3.10.3 due to insufficient escaping of the user-supplied parameter and the lack of sufficient preparation for the existing SQL query. This makes it possible for unauthenticated attackers to add additional SQL queries to already existing queries that can be used to extract sensitive information from the database.”
Recommended action for Dokan Pro users
Users of the Dokan Pro plugin are encouraged to consider updating their sites as soon as possible. It’s always wise to test updates before going live on a website. But due to the severity of this vulnerability, users should consider speeding up this update.
WooCommerce published a warning of a vulnerability affecting versions 8.8.0 and higher. The vulnerability has a rating of 5.4, which is a medium threat level and only affects users who have the order attributes feature enabled. However, WooCommerce “strongly” recommends that users upgrade as soon as possible to the most current version (as of this writing), WooCommerce 8.9.3.
WooCommerce Cross Site Scripting (XSS) Vulnerability.
The type of vulnerability that affects WooCommerce is called Cross Site Scripting (XSS), which is a type of vulnerability that relies on a user (such as a WooCommerce store admin) clicking on a link.
According to WooCommerce:
“This vulnerability could allow cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (using code such as JavaScript) on a page. This could affect anyone who clicks the link, including a customer, the merchant or the store administrator.
… We are not aware of any exploitation of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have not received any reports of an exploit, and our engineering team’s analysis did not reveal that it was exploited.”
Should web hosts be more proactive?
Web Developer and Search Marketing Expert Adam J. Humphreys, Of Making 8, inc. (LinkedIn Profile), believes that web hosts should be more proactive in patching critical vulnerabilities, although this may cause some sites to lose functionality if there is a conflict with some other plugin or theme in use.
Adam observed:
“The deeper problem is the fact that WordPress remains without automatic updates and a constant vulnerability that is the illusion that your sites are safe. Most basic updates are not performed by hosts, and almost all hosts do not perform no plugin updates, even if they do until a core update is done. Then there’s the fact that most premium plugin updates don’t work automatically. Many of which contain critical security patches.”
I asked if he meant a push update, where an update is pushed to a website.
“Correct, many hosts won’t update until a core WordPress update. Softaculous engineers confirmed this to me. WPEngine, which claims fully managed updates, doesn’t do this often enough to apply in a timely manner for these plugins .WordPress without continuous management is a vulnerability, and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion.”
Read more at Wordfence:
Dokan Pro <= 3.10.3 - Unauthenticated SQL injection
Read the official WooCommerce vulnerability documentation:
WooCommerce has been updated to address the cross-site scripting vulnerability
Featured image by Shutterstock/New Africa
[ad_2]
Source link
