Login

Tag Archives: WooCommerce

Plugin Security Scorecard Grade for WooCommerce

Checked on March 31, 2025
F

See issues causing the plugin to get less than A+ grade

14 Sep 2023

Automattic Reintroduced Security Vulnerability Into WooCommerce, Their WPScan Missed That

Automattic is the company from the head of WordPress, Matt Mullenweg. Among its operations, it sells access to (often inaccurate) information on vulnerabilities in WordPress plugins through WPScan. Earlier this week WPScan added an entry for a claimed vulnerability in Automattic’s WooCommerce plugin, which has 5+ million installs according to WordPress’ data. They claimed the vulnerability had been fixed in version 7.0.1:

[Read more]

21 Jun 2023

Latest WooCommerce Version Fixes Security Bypass Utilized by Widely Exploited Vulnerability

In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a value that is only included in WordPress admin pages. WooCommerce claimed to limit access to that to admins. Documentation from the developer states that “By default, WooCommerce blocks non-admin users from entering WP Admin, or seeing the WP Admin bar.” Despite that, the vulnerability was widely exploited.

The explanation for how it could be widely exploited despite that limitation is that the discoverer of the vulnerability disclosed a bypass for that, “WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1”. The discloser, NinTechNet, provided no explanation of why they publicized that, nor made any mention of contacting the developer about that bypass. It isn’t as if they didn’t know that they were disclosing something that isn’t supposed to be possible, as we had brought that up to them in a situation involving a different vulnerability a couple of weeks before. [Read more]

2 Jun 2023

WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins

In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a value that is only included in WordPress admin pages. WooCommerce claims to limit access to that to admins. Documentation from the developer states that “By default, WooCommerce blocks non-admin users from entering WP Admin, or seeing the WP Admin bar.” Despite that the vulnerability was widely exploited.

The explanation for how it could be widely exploited despite that limitation is that the discoverer of the vulnerability disclosed a bypass for that, “WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1”. The discloser, NinTechNet, provided no explanation of why they publicized that, nor made any mention of contacting the developer about that bypass. It isn’t as if they didn’t know that they were disclosing something that isn’t supposed to be possible, as we had brought that up to them in a situation involving a different vulnerability a couple of weeks before. [Read more]

10 Nov 2022

WooCommerce Fraud Prevention Plugin’s Functionality Can Be Disabled by Anyone Logged in to WordPress

With the security of WordPress plugins, those that extend the functionality of the ecommerce plugin WooCommerce would seem like they would be more secure than the average plugin, seeing as security should be important for software on websites handling money and customer data. But that continues to not be the case. Earlier this week the WP Tavern, which is barely disclosed to be owned by the head of the owner of WooCommerce, Matt Mullenweg, covered problems WooCommerce based websites are having with fraudulent charges through the Stripe payment service from those testing stole credit card numbers. The story mentioned one partial solution for that issue:

Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them. [Read more]

3 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF) in WooCommerce

One of the changelog entries for the latest version of the plugin WooCommerce is “Security – Added nonce check to CSV importer actions.”. Considering the plugin has 4+ million installs that sounded like something that would have been noticed before if it was true. When we went look into this we first found that the first step of the import process checked for a valid nonce. Then we found that the AJAX portion of the importing also checks for a valid nonce. Finally what we found was that that all the other steps in the process didn’t check for a valid nonce and will handle providing the nonce for the AJAX portion of the import.

[Read more]

7 Nov 2018

RIPS Technologies and BleepingComputer Creator Claim That Plugin’s Functionality Not Working When Disabled is WordPress “Design Flaw”

We generally avoid security journalism as it frequently involves widely misleading to flat-out falsehoods, one example of that being something we discussed just a couple of weeks ago. One of the security journalism outlets we mentioned in that post was the BleepingComputer, so when a Google news alert let us know of another story related to the security of WordPress plugins from them it wasn’t surprising that it might not be totally accurate. The title of the story is WordPress Design Flaw + WooCommerce Vulnerability Leads to Site Takeover, though there doesn’t appear to be a design flaw in WordPress or a site takeover that actually occurred.

The “design flaw” is first described as one with the “WordPress permission system” and then as: [Read more]

8 Dec 2017

Not Really a WordPress Plugin Vulnerability – Week of December 8, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Directory Traversal Vulnerability in WooCommerce

A lot of reports of vulnerabilities that turn out to be false at least seem to have a valid basis, but occasionally you have truly strange ones. The claim of a directory traversal vulnerability in WooCommerce falls into the latter category. The claim made is: [Read more]