We generally avoid security journalism as it frequently involves widely misleading to flat-out falsehoods, one example of that being something we discussed just a couple of weeks ago. One of the security journalism outlets we mentioned in that post was the BleepingComputer, so when a Google news alert let us know of another story related to the security of WordPress plugins from them it wasn’t surprising that it might not be totally accurate. The title of the story is WordPress Design Flaw + WooCommerce Vulnerability Leads to Site Takeover, though there doesn’t appear to be a design flaw in WordPress or a site takeover that actually occurred.
The “design flaw” is first described as one with the “WordPress permission system” and then as:
The flaw with WordPress plugin/privilege system is that if the WooCommerce plugin is disabled, the function that limits what users a Shop Manager can edit is no longer accessible and thus Shop managers can edit users in the Administrator role.
We don’t understand how it is WordPress design flaw that if a plugin is disabled its functionality doesn’t work, what it actually sounds like is that the design of the plugin is flawed, but that wouldn’t draw as much attention.
It is important to note that this claim isn’t actually an original thought of the writer of the article, Lawrence Abrams, who is the “creator and owner of BleepingComputer.com”. Instead he has simply repeated the claim from the security company Rips Technologies. That seems like a bad idea since they are known to make widely overstated claims.
The supposed design flaw is also out-front in Rips Technologies’ post, as it is titled “WordPress Design Flaw Leads to WooCommerce RCE“. The claim is much same in that:
The Design Flaw
While these filters work, they only get executed when the plugin is active. The issue is that user roles get stored in the database and exist even if the plugin is disabled. This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with
edit_usersto edit any user, even administrators, would occur. This would allow shop managers to update the password of the admin account and then take over the entire site.
Again this doesn’t sound like a WordPress design flaw. User roles do not have to be tied to a plugin, so what is happening there seems to be WordPress working correctly and a plugin is designed in a way that doesn’t appear to be fully thought out. If you want to add a capability in a way that only works with a plugin enabled there is a WordPress filter for doing that, which according to the documentation has existed since WordPress 2.0.0, which was released nearly 13 years ago.
So how about the “site takeover” element? Well for that to be possible you would have to have access to a fairly privileged account, though Rips Technologies describes that as if it is not actually a big deal to get access to that:
No other requirements other than an attacker being in control of an account with the user role shop manager were required. Shop managers are employees of the store that can manage orders, products and customers. Such access could be obtained via XSS vulnerabilities or phishing attacks.
A malicious actor that has control of a shop manager account could do a lot just with the ability to “manage orders, products and customers”.
Neither Bleeping Computer or Rips Technologies make a claim that any website was taken over through this.
Based on the previous instance of bad journalism mentioned at the beginning of this post, it is seem likely other journalist will run with these misleading claims soon.