Unlucky 13, a critical vulnerability found in WooCommerce.
On July 13, 2021, critical vulnerabilities were detected in the WooCommerce and WooCommerce Blocks plugins. The vulnerability was reported under the HackerOne program.
An amendment to the vulnerability was published on the same day. WooCommerce corrected the bug and swiftly released updated versions. So if you are using WooCommerce, a quick upgrade to 5.5.1 is a good idea.
Is this a critical WooCommerce vulnerability?
We don’t know the details of this vulnerability yet, and it is difficult to conclude what the vulnerability is and its severity from the messages.
WooCommerce vulnerabilities are not very rare. There were 5 of them in the last year (https://wpscan.com/plugin/woocommerce). Usually, however, these vulnerabilities are pretty trivial and don’t pose a significant threat to the website.
Just look at the last three vulnerabilities:
- WooCommerce <5.2.0 – Authenticated Stored Cross-Site Scripting (XSS) – If taxes are enabled, one of the fields was not sanitised properly, so a user with administrative privileges could inject code leading to XSS attacks on the website. Of course, XSS attacks are a severe threat, but it was necessary to have high privileges on the site to exploit this vulnerability.
- WooCommerce <4.7.0 – Arbitrary Order Status Disclosure via IDOR – This vulnerability allowed the attacker to view the order status based on its ID. This only revealed the status of an order.
- WooCommerce <4.6.2 – Guest Account Creation – This vulnerability allowed customers to register an account in the store even when such an option was disabled in the options. However, they were only able to create a customer account, so it wasn’t really a problem for store security.
You can see that these were security flaws, but none of them led to severe consequences for a site’s security. Or at least that was the case for typical store implementations – the first vulnerability was much more dangerous for marketplaces.
However, everything indicates that this time is different. The WooCommerce team has posted a corresponding entry on the site. An email was sent to users with information about the vulnerability and calling for a quick update.
Furthermore, WoCommerce contacted the WP plugin team to force an update of these two plugins. This is a relatively obscure feature of the security team. Yes, the WordPress plugin repository and update mechanism can force a plugin update.
I am using WooCommerce. What should I do?
The WooCommerce team recommends you update your plugin quickly. This will increase your store’s security and protect you from potential problems in the event of a forced update.
Unfortunately, WooCommerce implementations quite often contain solutions that are shortcuts and not entirely correct. Updates can therefore often lead to bugs, problems and conflicts with other plugins or themes. A forced update that takes place without our control may be a bit of a mess. It is much better to do it yourself and test that your store is operating correctly.
It is also worth paying attention to the fact that many people don’t use the current version of WooCommerce on their websites. According to statistics from the plugin repository, only 13.5% of installations use version 5.5.x.
Many users have encountered various types of problems with their store’s operation after updating to version 5.5.x. Most of these issues are due to incompatibility with other plugins and old, outdated themes. It’s therefore worth noting that you don’t need to update to version 5.5.1 in this case (which can be read in many places). The patch has been released for most of the used versions (the article lists all fixed versions), so it is enough to perform a “small” update that only fixes this one bug and thus minimises the risk of other problems.
Did you only just learn about this vulnerability from this article? That’s why it’s important that your website security (especially e-commerce stores) must be monitored by people who keep track of information on vulnerabilities and plugin versions and ensure a quick response. We take care of this as part of our Website Maintenance services (360WebCare).
Conclusions after code review
As of yet, the WooCommerce team has not published information about the vulnerability or its effects.
Since a new version that fixes this vulnerability is already published, everyone can quickly check the fix. To do this, you need to download two more versions and compare their code.
Version 5.5.1 differs from version 5.5.0 only by five files. Three of them are cosmetic changes. Two contain security fixes. These changes mainly concern the missing escape of SQL queries, so we can safely say that we are talking about a SQL Injection vulnerability.
Do you need help with the infection on your website?
If you’re an inexperienced user and don’t have a dedicated malware-removal specialist, we strongly advise engaging our 360WebRescue services. We can help to remove malware from your website.
Do you need help with the website maintenance?
Regular website maintenance with 360WebCare plans starts from $79 AUD per month.
Do not be tempted to put off your website maintenance. As a result, it can cost you a lot more in the long run. When issues accumulate, they can be harder to fix, and having a weak website can lead to more downtimes, costing you customers and conversions in the long run. It’s a much smarter business move and more cost-effective to have your website regularly checked on by an expert.
If you need any assistance with your WordPress website, get in touch with one of specialists via contact form on www.360webcare.com.