The Popular WooCommerce Booster plugin covered a Reflected Cross-Site Scripting vulnerability, affecting up to 70,000+ websites utilizing the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that provides over 100 functions for personalizing WooCommerce shops.
The modular package provides all of the most important performances essential to run an ecommerce store such as a customized payment entrances, shopping cart customization, and personalized price labels and buttons.
Shown Cross Website Scripting (XSS)
A showed cross-site scripting vulnerability on WordPress normally takes place when an input expects something particular (like an image upload or text) but enables other inputs, including malicious scripts.
An aggressor can then carry out scripts on a website visitor’s web browser.
If the user is an admin then there can be a potential for the assaulter stealing the admin credentials and taking over the site.
The non-profit Open Web Application Security Project (OWASP) describes this sort of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in a mistake message, search result, or any other reaction that consists of some or all of the input sent out to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.
… XSS can cause a range of issues for completion user that range in intensity from an annoyance to finish account compromise.”
As of this time the vulnerability has actually not been appointed a seriousness rating.
This is the main description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not get away some URLs and specifications prior to outputting them back in attributes, resulting in Shown Cross-Site Scripting.”
What that implies is that the vulnerability involves a failure to “escape some URLs,” which means to encode them in unique characters (called ASCII).
Leaving URLs suggests encoding URLs in an anticipated format. So if a URL with a blank space is encountered a site may encoded that URL utilizing the ASCII characters “%20” to represent the encoded blank space.
It’s this failure to effectively encode URLs which permits an aggressor to input something else, most likely a destructive script although it could be something else like a redirection to malicious website.
Changelog Records Vulnerabilities
The plugins main log of software application updates (called a Changelog) makes reference to a Cross Website Demand Forgery vulnerability.
The complimentary Booster for WooCommerce plugin changelog includes the following notation for version 6.0.1:
“REPAIRED– EMAILS & MISC.– General– Repaired CSRF problem for Booster User Roles Changer.
FIXED– Added Security vulnerability repairs.”
Users of the plugin ought to think about updating to the very latest version of the plugin.
Check out the advisory at the U.S. Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan site
Booster for WooCommerce– Shown Cross-Site Scripting
Included image by SMM Panel/Asier Romero