Multiple Vulnerabilities In Discount Rules For WooCommerce Plugin – Comment

According to researchers, hackers are attempting to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin which has more than 30,000 installations.

Experts Comments

August 24, 2020
Ameet Naik
Security Evangelist
PerimeterX
Third-party plugins are an attractive target for hackers seeking to compromise e-commerce sites. Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious Shadow Code that can steal user data, spread malware or hijack users to nefarious sites. Such techniques have been used to take over and launch Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers. Website owners using platforms such as.....Read More
Third-party plugins are an attractive target for hackers seeking to compromise e-commerce sites. Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious Shadow Code that can steal user data, spread malware or hijack users to nefarious sites. Such techniques have been used to take over and launch Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers. Website owners using platforms such as WooCommerce need to thoroughly review third-party plugins and ensure they upgrade to the latest versions to minimize the odds of such attacks. Consumers must also continue to safeguard their personal data and monitor their credit history for signs of fraud.  Read Less
August 25, 2020
Timothy Chiu
Vice President of Marketing
K2 Cyber Security
The WooCommerce plugin is written in PHP, a common language for web applications. The fact that security vulnerabilities like SQL Injection and XSS were discovered and patched in WooCommerce shouldn’t be a surprise. Over 10k vulnerabilities have been discovered in the production code this year already and recorded in the US-Cert Vulnerability database. What’s of more concern is how fast cyber attackers are acting on this disclosed vulnerability. It’s a good reminder that.....Read More
The WooCommerce plugin is written in PHP, a common language for web applications. The fact that security vulnerabilities like SQL Injection and XSS were discovered and patched in WooCommerce shouldn’t be a surprise. Over 10k vulnerabilities have been discovered in the production code this year already and recorded in the US-Cert Vulnerability database. What’s of more concern is how fast cyber attackers are acting on this disclosed vulnerability. It’s a good reminder that organizations need to keep on top of their patching and code fixes and implement them in a timely manner. Those fortunate enough to have updated are protected, but as we can see from the numbers, many remain vulnerable and unpatched. In addition to keeping up to date on the latest patches, organizations should also make sure they have runtime application security, as recommended by the latest draft of the NIST application security framework, SP800-53.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.