Researchers discovered a design flaw in the WordPress permission system and a file deletion vulnerability in WooCommerce that could allow an attacker to gain complete control of a WordPress site. WooCommerce is a well-known plugin that adds eCommerce functionality to a blog, so site owners can host their own marketplaces. There are currently more than four million active installations of WooCommerce. When a WordPress plugin utilizes a different user role, it will use the WordPress permission system rather than creating its own permission system. When the plugin is installed, it creates a shop manager role that has the “edit_users” capability. This allows users to edit any WordPress user, including administrator accounts. Because site owners do not want a plugin’s users editing the administrator for the site, WooCommerce had created a function to prevent this. If the WooCommerce plugin is disabled, the function which prevents users a shop manager can edit cannot be accessed and allows users to edit the administrator role. The only way to disable WooCommerce is using an administrator account or by deleting files that are associated with WooCommerce. This leads to the file deletion vulnerability, which affects WooCommerce 3.4.5 and earlier. The vulnerability resides in the plugin’s log deletion functionality which shop managers have access to. According to researchers, “Using the vulnerability, a user who was in the Shop Manager role could escape out of the expected folder by adding .. to the passed argument.” In order for successful exploitation though, an attacker needs to have access to an account in the shop manager role. A patch was made available on October 11th.
Users of the WooCommerce plugin should update to the latest version when possible. If the user does not install the patch, they are at a high risk for being attacked. It is good practice to keep up with current vulnerabilities and attacks that are announced to help a user know if they are affected in any way.