It hasn’t been long since we heard of multiple security bugs in the Discount Rules for WooCommerce Plugin. Yet, recently, researchers discovered some more vulnerabilities in the same plugin.
Bugs In Discount Rules for WooCommerce Plugin
Team Wordfence has found numerous bugs affecting the Discount Rules for WooCommerce Plugin. As elaborated in their recent post, they found multiple stored Cross-Site Scripting (XSS) flaws leading to authorization bypass.
Briefly, the vulnerabilities affected the “v2” and “v1” codebases of the plugin as well as the functionality to switch between the two codebases.
The bugs existed because of a lack of capability checks. Hence, they could allow any site visitor to modify, add, or delete discount rules or view coupons.
The difference between the “v2” and “v1” bugs was that the latter required an attacker to be signed-in. Also, the bugs affected more functions.
According to the researchers,
In addition to allowing attackers to view all available coupons on a site and activate, duplicate, and delete discount rules, at least two of the actions,
saveCartRulewere also vulnerable to stored Cross-Site Scripting(XSS) in several of the rule fields.
Patch Rolled Out
The researchers found the bugs while working on their firewall to address the previously known plugin vulnerabilities. They reported the bugs to the developers on August 21, 2020, who released an initial patch on August 22, 2020. This patch prevented the users to switch between the ‘v1’ and ‘v2’ codebase.
After that, they released a large fix addressing most bugs on September 2, 2020. However, they still missed patching the CSRF vulnerability affecting the version switching functionality.
Later, on September 9, 2020, they deployed a third fix to address all the bugs.
Hence, now, all users must ensure updating their sites with the latest Discount Rules for WooCommerce version 2.2.1 asap.
In August, another team of researchers discovered multiple vulnerabilities in the WooCommerce plugin. The bugs also came under attack soon after disclosure.