The Popular WooCommerce Booster plugin covered a Reflected Cross-Site Scripting vulnerability, impacting as much as 70,000+ websites utilizing the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that offers over 100 functions for customizing WooCommerce stores.
The modular package offers all of the most necessary functionalities necessary to run an ecommerce shop such as a custom-made payment entrances, shopping cart modification, and personalized price labels and buttons.
Shown Cross Site Scripting (XSS)
A reflected cross-site scripting vulnerability on WordPress typically happens when an input anticipates something specific (like an image upload or text) however allows other inputs, consisting of destructive scripts.
An assailant can then perform scripts on a website visitor’s browser.
If the user is an admin then there can be a capacity for the assailant taking the admin credentials and taking control of the site.
The non-profit Open Web Application Security Job (OWASP) explains this type of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in a mistake message, search results page, or any other reaction that consists of some or all of the input sent out to the server as part of the demand.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.
… XSS can cause a variety of problems for the end user that vary in intensity from an annoyance to complete account compromise.”
As of this time the vulnerability has actually not been designated a seriousness rating.
This is the main description of the vulnerability by the U.S. Federal Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, resulting in Reflected Cross-Site Scripting.”
What that suggests is that the vulnerability involves a failure to “get away some URLs,” which means to encode them in unique characters (called ASCII).
Getting away URLs suggests encoding URLs in an anticipated format. So if a URL with a blank space is come across a site might encoded that URL utilizing the ASCII characters “%20” to represent the encoded blank space.
It’s this failure to correctly encode URLs which permits an assailant to input something else, presumably a destructive script although it could be something else like a redirection to harmful website.
Changelog Records Vulnerabilities
The plugins official log of software updates (called a Changelog) makes reference to a Cross Site Demand Forgery vulnerability.
The free Booster for WooCommerce plugin changelog consists of the following notation for version 6.0.1:
“FIXED– EMAILS & MISC.– General– Fixed CSRF problem for Booster User Roles Changer.
REPAIRED– Added Security vulnerability fixes.”
Users of the plugin need to consider updating to the really latest version of the plugin.
Check out the advisory at the U.S. Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan site
Booster for WooCommerce– Shown Cross-Site Scripting
Featured image by Best SMM Panel/Asier Romero