The Popular WooCommerce Booster plugin patched a Shown Cross-Site Scripting vulnerability, impacting up to 70,000+ websites using the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that provides over 100 functions for tailoring WooCommerce stores.
The modular bundle provides all of the most vital performances essential to run an ecommerce shop such as a custom-made payment entrances, shopping cart personalization, and personalized price labels and buttons.
Shown Cross Site Scripting (XSS)
A showed cross-site scripting vulnerability on WordPress typically takes place when an input expects something specific (like an image upload or text) however enables other inputs, including destructive scripts.
An opponent can then perform scripts on a site visitor’s web browser.
If the user is an admin then there can be a capacity for the opponent taking the admin credentials and taking over the website.
The non-profit Open Web Application Security Task (OWASP) describes this type of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in an error message, search engine result, or any other response that consists of some or all of the input sent to the server as part of the demand.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.
… XSS can cause a variety of problems for completion user that range in intensity from an inconvenience to complete account compromise.”
As of this time the vulnerability has not been designated an intensity rating.
This is the main description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not escape some URLs and parameters prior to outputting them back in characteristics, resulting in Shown Cross-Site Scripting.”
What that means is that the vulnerability involves a failure to “leave some URLs,” which suggests to encode them in special characters (called ASCII).
Leaving URLs implies encoding URLs in an expected format. So if a URL with a blank area is encountered a website may encoded that URL using the ASCII characters “%20” to represent the encoded blank area.
It’s this failure to appropriately encode URLs which enables an assaulter to input something else, probably a destructive script although it could be something else like a redirection to malicious site.
Changelog Records Vulnerabilities
The plugins official log of software updates (called a Changelog) refers to a Cross Website Demand Forgery vulnerability.
The free Booster for WooCommerce plugin changelog contains the following notation for version 6.0.1:
“FIXED– EMAILS & MISC.– General– Fixed CSRF problem for Booster User Roles Changer.
REPAIRED– Included Security vulnerability fixes.”
Users of the plugin should consider updating to the extremely most current version of the plugin.
Read the advisory at the U.S. Federal Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan site
Booster for WooCommerce– Shown Cross-Site Scripting
Featured image by SMM Panel/Asier Romero