WordPress Plug Allows Website Takeover
By: Jim Stickley and Tina Davis
December 22, 2018
WordPress users beware! Just in time for the believe it or not, big online e-commerce season, researchers have found a flaw with the content management system (CMS) that may allow an attacker to hijack your website if you use the WooCommerce plugin. If it is exploited, it could allow said attacker to take over user roles and make changes to the website. And of course, you don’t want that just before Black Friday rolls around.
The researcher, Simon Scannell, said in a blog post that it may allow an attacker who attains shop manager access to delete files on the server and take over administrator accounts. You certainly don’t want that to happen, no matter what time of year.
The edit_users function allows an account holder to edit any and all user accounts. That includes administrators. This vulnerability can allow the attacker to get to that function and then get to the shop manager accounts.
Unfortunately disabling the WooCommerce plugin won’t save you because the shop manager role is stored apart from the WooCommerce plugin itself. And that was a security feature of the plugin that was to prevent the edit_users function from being abused. But, an attacker can go in through the current_user_can() feature and take over the permissions too. They could change the administrator password and go to town on your site.
There is hope. In fact, the developers of the plugin, Automatic, released a patch in October. If you use WordPress, if you haven’t already applied that, do it right away. That fix is included in version 3.4.6.
Any time patches are released for any product you have, apply them without delay. If you have the ability to do automatic updates, enable that so you don’t miss anything.
As for those popups saying you have an update to one of your products, remember that just because a popup appears saying so, it doesn’t necessarily mean it does. Criminals use updates as phishing bait too. Instead, if you want to make sure there is one, go into the product. Usually you can find a “check for updates” option in the Help menu. You should also reboot your devices from a complete shut down once in a while. When you do this, your software will “phone home” and get legitimate updates too.