Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all). [Read more]