WooCommerce Suffering From a Dangerous Object Injection Vulnerability

This is somewhat of a breaking news.

In short: WordPress users have to face possible hacker attacks if they are dealing with the WooCommerce plugin.

Sucuri team just discovered a dangerous vulnerability during their routine audit for their web application firewall.

It seems that the vulnerability inside WooCommerce is Object Injection related and it could allow any hacker to download compromising files from the vulnerable server. The problem appears only if the “PayPal Identity Token” option is set.

That PayPal option can be set from your WordPress dashboard, by clicking on WooCommerce’s Settings and then on the Checkout tab. In Advanced Options, you can find the Identity Token field, from where the issue started.

paypal token

The versions of WooCommerce that get the attention here are 2.3.10 and earlier, and the vulnerability is given 8 out of 10 points by Sucuri on their “dread score” scale. So things are quite serious.

release

Since the vulnerability was found by Sucuri, the WooCommerce’s creators came with a quick update – version 2.3.11, which can be downloaded from WordPress’ official directory, or automatically updated from your admin panel. The release includes several bug fixes, and the security fix discovered by Sucuri.

Who is affected?

If you’re using the PayPal Identity Token for your transaction notifications, it’s not only the online shop that gets vulnerable in case of attacks. Your entire website can suffer because the vulnerability gives the attacker access to your site’s whole database.

How to avoid being attacked

  • First of all, if you’re using the vulnerable version of this plugin, update it as soon as possible.
  • Try to keep your current password and avoid sending emails to reset lost passwords. The attackers cannot wait for that!
  • For more protection, you can get Sucuri’s Website Firewall.
  • Besides Sucuri’s protection services, you could try other third-party solutions. Here are some options:
  • WordFence – a free enterprise security and performance plugin, which makes your site work faster and safer.
  • BulletProof Security – helps your website’s security in many categories: firewall, database, login and more.
  • Sucuri Security – this time, a free plugin from Sucuri that takes care of auditing, malware scanning, and security hardening actions.
  • All In One WP Security & Firewall – it reduces security risks by checking for vulnerabilities, and by implementing the latest security practices and services.

This is a serious issue and it must be treated as such. Make sure you take all the needed precautions to keep your website and your WooCommerce service safe.

  • Nika.

    I alrady had that kind of problem, and crashed my website :/

    • I hope you’ve managed to fix the issue by now. Did the update help?

  • Thanks for the information.
    I’m using WooCommerce for one of my niche sites…

  • This is a bad news for WooCommerce users, but it’s good to have instant security update from the team of Woocommerce. Thanks for sharing here too so that those who are not aware of it, will get to know and safeguard themselves.