WordPress, WooCommerce flaws combine to allow website hijacking

A problem in how WordPress handles privileges can be exploited to take control of domains.

A flaw in how WordPress handles privilege assignments can be exploited to permit attackers to hijack WooCommerce websites.

The issue in the content management system (CMS) was discovered by Simon Scannell, a security researcher from RIPS Technologies, who said in a blog post that the design flaw specifically impacts WooCommerce, a popular WordPress plugin which has been downloaded over four million times.

"The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account," the security researcher says.

The plugin has been developed by Automattic and is a free e-commerce system for WordPress-based websites.

A file deletion bug was found in the software, and on its own, would generally not be considered critical as the best an attacker could do would be to delete index.php pages and cause a denial of service. However, when coupled with the WordPress design flaw, the bug's severity increases.

See also: Wordpress urges users to update now to fix critical security holes

The unpatched WordPress issue stems from how the CMS assigns capabilities to different roles.

When the shop manager role is defined, the edit_users capability is set to allow users with these privileges to edit customer accounts.

Even if the plugin is inactive, this account privilege is stored in the core WordPress database.

By default, the edit_users function allows an account holder to edit any user -- including administrator accounts. To prevent this from being abused, WooCommerce specifies that only accounts with the customer role can be edited -- but these metadata additions, made possible through current_user_can() functionality, are only active when the plugin is enabled.

CNET: Europe's 5G pace is slow and steady as others race

Therein lies the issue. As the WordPress design flaw keeps the shop manager role stored separately from the plugin, if WooCommerce is disabled, attackers who are able to gain access to one of these accounts are not limited by the metadata changes.

"This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with edit_users to edit any user, even administrators, would occur," Scannell says. "This would allow shop managers to update the password of the admin account and then take over the entire site."

However, the only way to disable this plugin for malicious gains outside of using an administrator account is to delete the main WooCommerce file -- and this requirement is fulfilled due to the WooCommerce file deletion vulnerability.

TechRepublic: How to solve the human challenges of cybersecurity

If a threat actor is able to successfully pull off a phishing campaign and gain the credentials of a shop manager account or uses an XSS vulnerability for the same purpose, then the attack chain is made possible.

"The method detailed [...] shows how a file deletion vulnerability in any WordPress plugin can be used to escalate privileges where meta privileges are used," the researcher says. "This design flaw still persists. File deletion vulnerabilities are not uncommon and even occur in the WordPress core itself."

The WooCommerce vulnerability was reported to Automattic in August, leading to a fix in version 3.4.6 of the plugin, released on October 11.

ZDNet has reached out to Automattic and will update if we hear back.

Previous and related coverage