By Sergiu Gatlan | Bleeping Computer
Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations.
Discount Rules for WooCommerce is a plugin that makes it simple to manage product pricing and discount campaigns on WooCommerce online stores.
“We have seen an influx of attacks against this vulnerability. Primarily from the IP address 45[.]140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the woocommerce_before_main_content template hook,” WebARX CTO Dave Jong who found the vulnerabilities says.
“This seems to indicate that they are attempting to target WooCommerce based sites with this outdated plugin version installed.”
Website takeover risk after successful exploitation
The security flaws found and reported by WebARX could allow the attackers to potentially remotely execute code on the vulnerable sites, execute actions with admin permissions, and potentially takeover compromised sites.WebARX reported the vulnerabilities to the plugin’s development team on August 7 and, less than a week later, on August 13, version 2.1.0 containing a fix for these issues was released.
Based on Jong’s analysis of these vulnerabilities, they are caused by a lack of nonce token and authorization checks which, if successfully exploited, could allow unauthenticated attackers to retrieve a list of all users and coupon codes, inject XSS into a site’s header, footer, or admin page, and trigger remote code execution exploits.
“A malicious user could inject JavaScript in the admin_head location to execute certain admin actions on the backend,” WebARX CTO Dave Jong told BleepingComputer.
“Another example would be to inject a JavaScript keylogger into the login form to eventually take over an admin account.”
Read the full article here – Bleeping Computer