Popular Plugin for WooCommerce Patches Vulnerability

Posted by

The Popular WooCommerce Booster plugin patched a Reflected Cross-Site Scripting vulnerability, affecting up to 70,000+ websites utilizing the plugin.

Booster for WooCommerce Vulnerability

Booster for WooCommerce is a popular all-in-one WordPress plugin that provides over 100 functions for tailoring WooCommerce stores.

The modular package provides all of the most necessary functionalities required to run an ecommerce shop such as a custom-made payment entrances, shopping cart customization, and personalized cost labels and buttons.

Shown Cross Website Scripting (XSS)

A reflected cross-site scripting vulnerability on WordPress usually occurs when an input expects something particular (like an image upload or text) however allows other inputs, including harmful scripts.

An aggressor can then perform scripts on a site visitor’s browser.

If the user is an admin then there can be a potential for the assaulter stealing the admin credentials and taking over the website.

The non-profit Open Web Application Security Task (OWASP) explains this sort of vulnerability:

“Shown attacks are those where the injected script is shown off the web server, such as in an error message, search result, or any other response that consists of some or all of the input sent to the server as part of the request.

Reflected attacks are delivered to victims via another path, such as in an e-mail message, or on some other site.

… XSS can trigger a variety of problems for completion user that range in seriousness from an annoyance to finish account compromise.”

As of this time the vulnerability has actually not been assigned an intensity ranking.

This is the main description of the vulnerability by the U.S. Federal Government National Vulnerability Database:

“The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not escape some URLs and parameters before outputting them back in characteristics, causing Reflected Cross-Site Scripting.”

What that means is that the vulnerability involves a failure to “leave some URLs,” which means to encode them in special characters (called ASCII).

Getting away URLs implies encoding URLs in an expected format. So if a URL with a blank area is encountered a site may encoded that URL utilizing the ASCII characters “%20” to represent the encoded blank area.

It’s this failure to properly encode URLs which enables an attacker to input something else, presumably a harmful script although it might be something else like a redirection to harmful website.

Changelog Records Vulnerabilities

The plugins official log of software application updates (called a Changelog) makes reference to a Cross Website Request Forgery vulnerability.

The totally free Booster for WooCommerce plugin changelog consists of the following notation for version 6.0.1:

“REPAIRED– EMAILS & MISC.– General– Repaired CSRF problem for Booster User Roles Changer.

FIXED– Included Security vulnerability fixes.”

Users of the plugin need to consider updating to the very latest variation of the plugin.

Citations

Read the advisory at the U.S. Government National Vulnerability Database

CVE-2022-4227 Detail

Read a summary of the vulnerability at the WPScan website

Booster for WooCommerce– Shown Cross-Site Scripting

Included image by SMM Panel/Asier Romero