A vulnerability in a popular WordPress plugin referred to as the WooCommerce Checkout Manager extension is potentially placing more than 60,000 web sites at risk, researchers say.
The WooCommerce Checkout Manager plugin permits WooCommerce customers to customize and control the fields on their checkout pages. The plugin, owned via Visser Labs, is cut loose the WooCommerce plugin, that is owned by using Automattic.
“Earlier this week, an arbitrary file add vulnerability has been located in popular WordPress plugin WooCommerce Checkout Manager which extends the capability of widely recognized WooCommerce plugin,” stated Luka Sikic, with WebEx Security in a Thursday publish.
Visser Labs has now not responded to a request for remark from Threatpost. On Friday, the plugin has been eliminated from the WordPress plugin repository. “This plugin turned into closed on April 26, 2019, and is not available for download,” in step with a word at the website online. However, that also leaves the 60,000 web sites who’ve already downloaded and are utilizing the plugin open to attack, in keeping with researchers.
On Tuesday, Plugin Vulnerabilities published a proof of idea outlining an attack on an arbitrary document upload vulnerability in WooCommerce Checkout Manager. The disclosed vulnerability exists because the plugin’s “Categorize Uploaded Files” choice does no longer take a look at privileges or permissions before files are uploaded. As a result, bad actors could add – and then execute – malicious files.
“Since there’s no privilege or permission test before uploading a record, the exploitation of the vulnerability in WooCommerce Checkout Manager is straightforward and doesn’t require an attacker to be registered on the website,” Sakic said.
The wide variety of prone plugins being exploited in a massive marketing campaign is racking up, with the WooCommerce Checkout Manager the modern plugin to be exploited.
The WooCommerce Checkout Manager is only the modern day plugin to have a disclosed vulnerability, researchers say.
“We preserve to see a growth in the wide variety of plugins attacked as a part of a campaign that’s been lively for quite a long time,” consistent with John Castro with Sucuri in a latest publish. “Bad actors have introduced extra prone plugins to inject similar malicious scripts.”
Other plugins currently added to the attack encompass WP Inventory Manager and Woocommerce User Email Verification. That’s on the pinnacle of others, inclusive of Social Warfare, Yellow Pencil Visual Theme Customizer, and Yuzo Related Posts.
Researchers urged plugin users to disable the plugin absolutely or disable the “Categorize Uploaded Files” alternative on the plugin settings web page.
“Attackers are trying to exploit vulnerable versions of these plugins,” said Castro. “Public exploits exist already for all of the additives indexed above, and we highly encourage you to preserve your software updated to prevent any infection.”