Security Flaw Found In WooCommerce WordPress Plugin
About WooCommerce Plugin
WooCommerce Plugin is the a complete eCommerce solution for the CMS that allows users to sell anything through their websites. According to WooThemes, the plugin has more than 1 million active users.Object Injection Flaw
The “object injection” vulnerability is only present when WooCommerce’s “PayPal Identity Token” option is set, says researchers.
During the tests the researchers managed to exploit the
bug by using a combination of WordPress and WooCommerce components with a
known PHP bug (CVE-2013-1643) and downloaded critical files like wp-config.php, which contains the database credentials and WordPress secret keys.
Marc-Alexandre Montpas, a security researcher at Sucuri said in a blog post,
“It is worth noting that even if your site doesn’t run on top of an old
version of PHP a lot of different attack vectors an attacker could be
used depending on what extensions you have available.”
“There’s
also a couple other bugs related to PHP itself that we could have
investigated, but we decided to stick with CVE-2013-1643 because it’s
widely documented and relatively simple to recreate.”
If you are using the vulnerable version of the plugin, update it as soon as possible
