Specialists from RIPS Technologies discovered a problem associated with the work of WordPress and the popular e-commerce plugin WooCommerce created by Automattic. According to official statistics, this solution has been downloaded over four million times and has about the same number of active installs. The researchers explain that there are two problems here at once. The first problem is that when a plugin is installed for WordPress that uses different user roles, it does not create its own authentication system, but uses the existing CMS privilege system. To do this, the plugin creates a new role with new WordPress features, and then restricts its interaction with the CMS settings and other users through its own functions.
So, when installing WooCommerce, a new Shop Manager role is created, which has edit_users rights. This permission allows the user to edit any posts, as well as the profiles of any other WordPress users, including the administrator. It would seem that the WooCommerce developers have provided a feature that prohibits users with this role from interfering with administrator profiles. But due to a bug in the plugin privilege management system, when WooCommerce is disabled, the “store manager” feature no longer works, and users with this role can freely edit other users' accounts.
As a result, the only reliable way to disable the plugin is to disable it by the administrator, or rather delete all of its files. And here the second problem comes into play. that RIPS Technologies analysts discovered a bug related to deleting WooCommerce files version 3.4.5 and below. It turned out that users with Shop Manager rights can delete any plugin file, including those critical for its operation. After that, the plugin will predictably stop working, WordPress will automatically disable it, and the situation will return to the above, when a user with the Shop Manager role has the ability to edit the profiles of any users.
The researchers explain that in such a situation it would not be difficult for an attacker to seize the administrator's account, and hence control over the entire site. The video below demonstrates the combination of the two problems described in the case. Specialists emphasize that in order to successfully exploit this scheme, an attacker will need have access to an account with the Shop manager role. However, this, according to researchers, is achievable through XSS vulnerabilities or phishing attacks.
WooCommerce developers have already fixed the problem by releasing a new version of the plugin (3.4.6). Since not everyone has automatic plugin updates turned on, experts recommend that users check for updates and make sure they are working with the latest version of WooCommerce.