As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is Woocommerce Products Price Bulk Edit, which has 20,000+ installs according to wordpress.org and was last updated over two years ago.

In looking over the plugin we found that various functionality that is only intended for WordPress users that are able to edit WooCommerce products are accessible to anyone logged in to WordPress. Seeing as WooCommerce normally creates WordPress accounts for customers that is a big issue. Among the things anyone logged in can do is to delete products (or anything else stored as a WordPress post for that matter), change the price of products, change the title of products (or anything else stored as a WordPress post for that matter), but what seems like it could be of interest to hackers is that a setting can be changed and that can be used to cause authenticated persistent cross-site scripting (XSS). [Read more]