Multiple Vulnerabilities In Discount Rules For WooCommerce Plugin – Comment

By   ISBuzz Team
Writer , Information Security Buzz | Aug 24, 2020 06:41 am PST

According to researchers, hackers are attempting to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin which has more than 30,000 installations.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Timothy Chiu
Timothy Chiu , Vice President of Marketing
August 25, 2020 10:59 am

The WooCommerce plugin is written in PHP, a common language for web applications. The fact that security vulnerabilities like SQL Injection and XSS were discovered and patched in WooCommerce shouldn’t be a surprise. Over 10k vulnerabilities have been discovered in the production code this year already and recorded in the US-Cert Vulnerability database.

What’s of more concern is how fast cyber attackers are acting on this disclosed vulnerability. It’s a good reminder that organizations need to keep on top of their patching and code fixes and implement them in a timely manner. Those fortunate enough to have updated are protected, but as we can see from the numbers, many remain vulnerable and unpatched. In addition to keeping up to date on the latest patches, organizations should also make sure they have runtime application security, as recommended by the latest draft of the NIST application security framework, SP800-53.

Last edited 3 years ago by Timothy Chiu
Ameet Naik
Ameet Naik , Security Evangelist
August 24, 2020 2:43 pm

Third-party plugins are an attractive target for hackers seeking to compromise e-commerce sites. Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious Shadow Code that can steal user data, spread malware or hijack users to nefarious sites. Such techniques have been used to take over and launch Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers.

Website owners using platforms such as WooCommerce need to thoroughly review third-party plugins and ensure they upgrade to the latest versions to minimize the odds of such attacks. Consumers must also continue to safeguard their personal data and monitor their credit history for signs of fraud.

Last edited 3 years ago by Ameet Naik

Recent Posts

Would love your thoughts, please comment.x