Up to 4 million online merchants who use the popular WooCommerce WordPress plugin are vulnerable to a file deletion vulnerability that could allow a rogue “shop manager” to escalate privileges and eventually execute remote code on impacted websites.
Researchers at RIPS Technologies trace the bug to an unpatched design flaw in the privilege system of WordPress which can lead to an attack. While the flaw impacts many plugins on WordPress, one of the bigger impacted plugins is WooCommerce, an open source e-commerce plugin designed for small to large-sized online merchants using WordPress. WooCommerce powers 30 percent of all online stores — more than any other platform, according to WordPress.
“The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account,” Simon Scannell, security researcher with RIPS Technologies, said in a Tuesday post.
WooCommerce establishes “roles” for users ranging from customer, shop manager to admin. The shop manager role allows a user to manage all settings within WooCommerce platform, such as creating and editing products.
After a payload is injected that deletes the WooCommerce plugin, an attacker in the “shop manager” role can access the “admin” role.
A bad actor in the “shop manager” role could open the vulnerable log manager in WordPress and inject a payload to delete the WooCommerce plugin. By deleting this, it disables runtime restrictions on the plugin and the attacker can then edit and takeover the admin account.
“Arbitrary file deletion vulnerabilities aren’t considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website,” Scannell wrote. “[We] detail how deleting certain plugin files in WordPress can disable security checks and then leads to a full site takeover.”
An admin account takeover by shop managers occurs because WordPress assigns filters to different roles – in this case WooCommerce roles. Roles are independent of one another and exist even if a plugin is inactive. The roles are stored in the database as a core setting of WordPress – however, it means that they only get executed when the plugin is active.
“The issue is that user roles get stored in the database and exist even if the plugin is disabled,” according to Scannell. “This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with edit_users to edit any user, even administrators, would occur.”
That would allow shop managers to update the password of admin accounts and take over the entire site.
The exploit requires nothing more than an attacker being in control of an account with the user role “shop manager.” However, the exploit is not perfect – one major drawback is that when executing the exploit, all data is lost on the target site, Scannell said.
A potential attacker could access the shop manager role via XSS vulnerabilities or phishing attacks, and then exploit the flaw to take over any administrator account and execute code on the server.
Scannell reported the arbitrary file deletion vulnerability in August, and a patch was released in October. Automattic, the company behind both WordPress and WooCommerce, did not respond to a request for further comment.
WordPress has faced other varying flaws over the past year. In August, researchers outlined a proof-of-concept exploit that would enable bad actors to target a severe vulnerability in the PHP programming language behind several major CMS companies, including WordPress. And in June, WordPress patched two bugs rated “medium” in its tooltips plugin, including one that can allow bad actors to do anything an administrative user would be able to do on a WordPress site.
