WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed
In January, multiple WordPress security providers falsely claimed that a vulnerability had been fixed in the WooCommerce plugin. The situation was made more problematic because one of them said it was fixed in a version of WooCommerce that was newer than the version currently available. This situation was partially caused by the developers of WooCommerce having a changelog entry for security improvement included in the changelog for the wrong version of the plugin. That has happened again, only this time there really is a vulnerability, though a minor one, being fixed.
Yesterday, a beta version of WooCommerce 8.7.0 was submitted to the WordPress Plugin Directory. The changelog added for it suggests that will be released on March 13. One of the entries was flagged by our systems as possibly referring to a fix for a vulnerability:
Fix – Adds a nonce check to the HPOS order sync tool. #44667
As at least one of our customers uses the plugin, we went to check on that.
A nonce check is used to prevent cross-site request forgery (CSRF). Despite the strong indication that was fixing a vulnerability, the entry is not labeled as “security”, but as a “fix.” Looking back at previous changelog entries, the last time they labeled something as “security” was in January of last year. Despite this not being the first vulnerability fixed since then.
Looking at the linked GitHub pull, something is off as the “Changes proposed in this Pull Request” is this:
Cherry-pick #301 into trunk
Checking that link, it has nothing to do with what was changed.
The code change involves the function sync_now() in the file /src/Internal/DataStores/Orders/CustomOrdersTableController.php, which previously didn’t have a nonce check before triggering the HPOS order sync tool:
323 324 325 326 327 328 329 330 | private function sync_now() { $section = filter_input( INPUT_GET, 'section' ); if ( 'features' !== $section ) { return; } if ( filter_input( INPUT_GET, self::SYNC_QUERY_ARG, FILTER_VALIDATE_BOOLEAN ) ) { $this->batch_processing_controller->enqueue_processor( DataSynchronizer::class ); |
In practical terms, that means that an attacker could possibly cause a user with access to that tool (normally users with the Administrator and Shop Manager roles), to cause a sync to happen without them intending it. So not something that should be a major issue.
The change to address that was actually included in version 8.6.0 on February 15. The needed nonce check was added:
324 325 326 327 328 329 330 331 332 333 334 335 | private function sync_now() { $section = filter_input( INPUT_GET, 'section' ); if ( 'features' !== $section ) { return; } if ( ! filter_input( INPUT_GET, self::SYNC_QUERY_ARG, FILTER_VALIDATE_BOOLEAN ) ) { return; } if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ?? '' ) ), 'hpos-sync-now' ) ) { WC_Admin_Settings::add_error( esc_html__( 'Unable to start synchronization. The link you followed may have expired.', 'woocommerce' ) ); |
We checked overs similar code in the plugin and didn’t find any similiar issues that still need to be resolved.