WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins
In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a value that is only included in WordPress admin pages. WooCommerce claims to limit access to that to admins. Documentation from the developer states that “By default, WooCommerce blocks non-admin users from entering WP Admin, or seeing the WP Admin bar.” Despite that the vulnerability was widely exploited.
The explanation for how it could be widely exploited despite that limitation is that the discoverer of the vulnerability disclosed a bypass for that, “WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1”. The discloser, NinTechNet, provided no explanation of why they publicized that, nor made any mention of contacting the developer about that bypass. It isn’t as if they didn’t know that they were disclosing something that isn’t supposed to be possible, as we had brought that up to them in a situation involving a different vulnerability a couple of weeks before.
The developer of WooCommerce is Automattic, which also sells various security solutions for WordPress websites, so it isn’t unreasonable to think they would have become aware of that bypass at the time. We don’t know if they did at the time, but two days ago, we contacted their security team about it. We have yet to receive any response.
We were looking into the continued existence of the bypass while looking into another vulnerability, one that ties into problems with both companies we have mentioned so far.
Capabilities Checks Missing
Earlier this week, NinTechNet added a new firewall rule to the rules for their NinjaFirewall plugin. That rule would block access to request to the website where the GET or POST input named action was set to b2bkingdownloadpricelist and b2bking_price_import. That would seem to be connected to a plugin named B2BKing. At that point in looking into this, things get odd. On the WordPress plugin directory, the changelog page for the plugin simply lists a URL, https://woocommerce-b2b-plugin.com/changelog. On that page NinTechNet is credited with finding a vulnerability:
Vulnerability fix – Authenticated Product Price Change: A logged in user may have been
able to modify product prices using AJAX calls.
Thank you to NinTechNet / Jerome Bruandet ( https://secure.nintechnet.com/ ) for reporting
the issue and recommending solutions.
That is included in a listing for the changes for version 4.6.20 of the plugin. While the plugin was recently updated on the plugin directory, the latest version is only 4.2.56. (That is only thing that doesn’t match up. The developer on the plugin directory is listed as WebWizards, but on the linked website it is listed as SNP Digital.) It looks like the changelog is for a paid version of the plugin.
We then started to look into what is going on with the free version. What we found is a larger security issue that hadn’t been resolved, which NinTechNet hasn’t warned people about.
The security issue is a common one with plugins that extend WooCommerce. It is something that Automattic could easily help to curtail, but hasn’t, despite there having been repeated instances of widely exploited vulnerabilities caused in part by it. (Their being in the business of profiting off of the insecurity of WordPress gives them an incentive not do that.)
The security issue is that various functionality in the plugin should be limited to only Administrators of the website, but anyone logged in to WordPress can access it. As an example of that, which we detailed in a more technical post, we found that it is currently possible for anyone logged in to WordPress to delete any and all WordPress users on a website using the plugin. That occurs through an AJAX accessible function in the plugin, which is accessible to anyone logged in to WordPress. There should be a capabilities check to limit access to that to only Administrators, but that is missing. There is a nonce check in the code, which limits exploitation to only those who have access to the admin area of WordPress. That brings us back to the beginning of this post, as WooCommerce is supposed to limit access to that, but the bypass NinTechNet disclosed allows others to access it.
There is some good news in all this. After running across this vulnerability, we have added detection for vulnerabilities like this one to our monitoring solutions, including to the publicly available Plugin Security Checker. We also developed new protection for our firewall plugin to protect against that type of vulnerability if they exist in any other plugin.