Security News > 2020 > September > Stubborn WooCommerce Plugin Bugs Gets Third Patch
E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site.
According to Flycart Technologies, Discount Rules for WooCommerce enables the 3.3 million active WooCommerce merchants to use the add-on to streamline customer discounts and manage dynamic pricing.
Researchers estimate Discount Rules for WooCommerce is active on an estimated 40,000 sites running the WooCommerce open-source platform.
"The vulnerabilities that were originally patched in the plugin were AJAX actions present in the 'v2' codebase of the plugin Unfortunately, the plugin maintained a separate 'v1' codebase containing an earlier version of this functionality. Anyone visiting the site could switch between the v1 and v2 codebase by visiting any page on the site and adding a awdr switch plugin to query string parameter set to v1 or v2," researchers wrote.
It is unclear if WooCommerce site operators will have to download patches for the Discount Rules for WooCommerce or if the plugin will receive an automated update.
News URL
https://threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/