The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations.
Many of the vulnerabilities range in severity to as high as Critical and rated 9.8 on a scale of 1-10.
Every vulnerability was assigned a CVE identity number (Common Vulnerabilities and Exposures) given to discovered vulnerabilities.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, installed in over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
A Cross-Site Request Forgery (CSRF) vulnerability arises from a flaw in a website plugin that allows an attacker to trick a website user into performing an unintended action.
Website browsers typically contain cookies that tell a website that a user is registered and logged in. An attacker can assume the privilege levels of an admin. This gives the attacker full access to a website, exposes sensitive customer information, and so on.
This specific vulnerability can lead to an export file download. The vulnerability description doesn’t describe what file can be downloaded by an attacker.
Given that the plugin’s purpose is to export WooCommerce order data, it may be reasonable to assume that order data is the kind of file an attacker can access.
The official vulnerability description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”
The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin that are less than or equal to version 3.3.2.
The official changelog for the plugin notes that the vulnerability was patched in version 3.3.3.
Read more at the National Vulnerability Database (NVD): CVE-2022-40128
2. Advanced Dynamic Pricing for WooCommerce
The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce which is installed in over 20,000 websites.
This plugin was discovered to have two Cross-Site Request Forgery (CSRF) vulnerabilities that affect all plugin versions less than 4.1.6.
The purpose of the plugin is to make it easy for merchants to create discount and pricing rules.
The first vulnerability (CVE-2022-43488) can lead to a “rule type migration.”
That’s somewhat vague. Perhaps an assumption can be made that the vulnerability may have something to do with the ability to change the pricing rules.
The official description provided at the NVD:</…….