Current flaw in unpatched WooCommerce

Just giving y’all a heads up to an article that dropped yesterday about possible JavaScript vulnerabilities in unpatched WooCommerce and quite a few other Wordpress plug-ins:

Hopefully this is useful to someone in the community. :raised_hands::raised_hands:


I read through the article, the subsequent link and the entry in the Dr.Web vulnerability description. But nowhere can I find a version number that this has been patched on NOR a corroborating vuln database entry (like on WPScan). And every article ONLY references Dr.Web… Do you have more info on this?

To me the ‘patch your installs’ advice they give is akin to ‘dont drive drunk’ - Kinda self explanatory without more information.

To me this currently reads like a LINUX vulnerability that can be exploited on Wordpress with some plugins that allow this type of request to be made. At least, from the way I read this. But maybe you could elaborate and help me understand it better?

I also looked at the exploit this malware is using and the earliest reported vuln goes back to 2016!!! (CVE-2016-10972) with other vulnerabilities (like the injection vuln CVE-2019-17233) from 2019. I dont see the woocommerce one mentioned, but that could mena its exploiting several known (hence old) vulnerabitlites.

IF (and please correct me) this is a rather generous call to updates website that in the past didn’t care to update I think this is nothing more than a press release to sell more product 9hopefully I am wrong) since there is no new vulnerability in this exploit. It just happens to be new software that makes use of old vulnerabilities. From my listening to security podcasts and reading various articles, blogs this is something that happens ALL THE TIME. (BTW, if you don’t want to loose your positive view on the web then I suggest not going down that rabbit hole, LOL)

Now in the end @chipriggs you’re advice is still solid, but I have a feeling that everyone here is already doing that?! (hopefully so). If not, LISTEN!

Hi @Sebastian, my intent with sharing the article was just to raise awareness in the community here about the possibility of vulnerabilities in unpatched versions of WooCommerce (and quite a few other WordPress plug-ins) based on the ArsTechnica article and the other articles it cited.

I completely agree with you that most people here are probably already keeping things up to date, BUT if taking the time to drop a link here keeps one person from dealing with having their site hacked I’m fine with taking a few minutes even if it just makes them double check their sites and/or the sites they maintain.

I’m no security expert by any stretch, but do try to keep track of it in the news, blogs, & podcast as you do so I tend to lean towards the side of caution (and slight paranoia :grimacing:) in most things like this which is also probably part of the reason I linked the article.

Anyway, Keep Calm and Patch On! :+1: :+1:

1 Like

True, even if one person double checked their servers or sites it is indeed worth it. And I do like your Keep Calm and Patch On! sign off!

You’re certainly right about the paranoia - I mean caution, yes caution, and the one thing I try to keep in mind that its really easy to become a ‘too complicated’ target! At its cheapest is us and the most expensive is a dedicated team, and security software in between. And the reason why many providers now offer auto-updates (that a whoe other ball-game, but the reason behind this feature.

But I can’t help but think that something like this (esp. due to the woocommerce mention!) is a fluff piece that various networks picked up for no other reason that other networks picked it up. That includes Ars Technica, who did no due diligence (or maybe it was an AI re-write of the press piece? - a similar piece was on a MS owned blog that was basically similar w/o any context or deeper explanation). And that makes me think that Dr.Web sold a slew of new licenses just because of this. So… It leaves a sour taste behind… But in the end, any server not used for fleecing some old lady out of her savings - its def better.

And I do think you helping the community is very worthwhile! Of course, I could be very wrong about the whole thing since while I consume a lot of sec news, I don’t do sec work - although I do rescue sites from just that kind of stuff.

Either way: Update yo sites! :wink: Have a good one.

1 Like

I forgot to say Welcome to the Community here as well. :raised_hands::raised_hands:

1 Like