Cybersecurity researchers have unearthed Variation Swatches plugin safety flaw that allows hackers attackers with low-level permissions tweak vital settings on e-commerce websites to insert malicious scripts.
The plugin “Variation Swatches for WooCommerce,” mounted across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting (XSS) security flaw that allows threat actors to inject destructive web scripts and take over sites.
Variation Swatches is built to allow ecommerce sites using the WooCommerce platform for WordPress sites to display and sell multiple variations of a single product. Unfortunately, susceptible variations can also offer individuals without administrative capabilities — like customers or subscribers — access to the plugin’s settings, according to researchers from Wordfence.
“More specifically, the plugin registered the ‘tawcvs_save_settings,’ ‘update_attribute_type_setting’ and ‘update_product_attr_type’ functions, which were all hooked to various AJAX actions. These three functions were all missing capability checks as well as nonce checks, which provide cross-site request forgery protection,” Wordfence’s Chloe Chamberland stated, in a recent blog post.
Providing minimal-permissioned customer access to the “tawcvs_save_settings” function is especially troubling, she said, because that permission can be exploited to update the plugin’s settings and insert destructive web scripts that would run anytime a site owner accessed the options of the plugin.
“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor, which in turn would grant the attacker the ability to completely take over a site,” Chamberland added.
The flaw tracked as CVE-2021-42367 impacted all end users of the plugin until Nov. 23, when it was patched in the latest 2.1.2 version.
Customers of WordPress are already dealing with cascading flaws, incidents, and hacks. Last week, for instance, GoDaddy, the world’s largest domain registrar, was hacked — affecting 1.2 million consumers and GoDaddy Managed WordPress resellers.
Earlier this year in October, a WordPress plugin bug was spotted in the Hashthemes Demo Importer offering, that allowed users with simple subscriber permissions to wipe sites of all content. To minimize this latest plugin bug, Chamberland advised customers to upgrade their websites with the modified version of the Variation Swatches for WooCommerce.
In mid-Nov. a further glitchy WordPress plugin allowed threat actors to exhibit a phony ransomware encryption message demanding nearly $6,000 to unlock the website. The threat was null and void; all the end-users were required to do was delete the plugin, but had the hackers deployed actual ransomware the result could have been disastrous.