Security News > 2021 > December > 80K Retail WooCommerce Sites Exposed by Plugin XSS Bug

The plugin "Variation Swatches for WooCommerce," installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites.

Giving low-permissioned users access to the "Tawcvs save settings" function is particularly concerning, she said, because that access can be used to update the plugin's settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.

"As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor, which in turn would grant the attacker the ability to completely take over a site," the researcher added.

In mid-Nov. another glitchy WordPress plugin let attackers display a fake ransomware encryption message demanding about $6,000 to unlock the site.

In late October, a WordPress plugin bug was discovered in the Hashthemes Demo Importer offering, that allowed users with simple subscriber permissions to wipe sites of all content.

To mitigate this latest plugin bug, Chamberland recommends that users update their sites with the patched version of the Variation Swatches for WooCommerce.

News URL

https://threatpost.com/retail-woocommerce-sites-plugin-xss-bug/176704/