A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say.
The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.
The plugin has been removed from the WordPress plugin repository. “This plugin was closed on April 26, 2019 and is no longer available for download,” according to a notice on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.
The vulnerability affects users that have enabled “Categorize Uploaded Files” option within plugin settings:
- Allow Customers to Upload Files
- Categorize Uploaded Files | read more
The vulnerable functionality allows users and visitors to upload files in a form during checkout. However, even if you don’t have a file upload field in your site’s form – you are still vulnerable as long as you have tha above mentioned options enabled.
The vulnerability occurs inside the includes/admin.php file at line 2084 on which application is moving given files to a directory using move_uploaded_file without prior proper check for allowed files.
The vulnerability is accessible to both, registered users and visitors as ajax hooks are registered to non-authenticated users as well.
Users are recommended to remove the affected plugin immediately. An urgent update for WooCommerce Checkout Manager is now available (version 4.3) that patches the vulnerability. It can be downloaded here.
Join Our Online Security and Hosting Newsletter Today
