The Popular WooCommerce Booster plugin patched a Reflected Cross-Site Scripting vulnerability, affecting up to 70,000+ websites utilizing the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that offers over 100 functions for tailoring WooCommerce stores.
The modular bundle provides all of the most vital functionalities essential to run an ecommerce store such as a custom payment gateways, shopping cart modification, and personalized rate labels and buttons.
Reflected Cross Site Scripting (XSS)
A showed cross-site scripting vulnerability on WordPress normally happens when an input anticipates something specific (like an image upload or text) however allows other inputs, consisting of destructive scripts.
An attacker can then perform scripts on a website visitor’s browser.
If the user is an admin then there can be a capacity for the attacker stealing the admin qualifications and taking control of the site.
The non-profit Open Web Application Security Job (OWASP) describes this type of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in a mistake message, search results page, or any other response that consists of some or all of the input sent out to the server as part of the request.
Shown attacks are provided to victims via another path, such as in an e-mail message, or on some other site.
… XSS can cause a variety of issues for completion user that vary in severity from an inconvenience to complete account compromise.”
As of this time the vulnerability has actually not been designated a severity score.
This is the official description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not escape some URLs and criteria before outputting them back in qualities, resulting in Reflected Cross-Site Scripting.”
What that suggests is that the vulnerability includes a failure to “escape some URLs,” which suggests to encode them in unique characters (called ASCII).
Escaping URLs suggests encoding URLs in an anticipated format. So if a URL with a blank space is experienced a site may encoded that URL utilizing the ASCII characters “%20” to represent the encoded blank area.
It’s this failure to appropriately encode URLs which enables an enemy to input something else, presumably a malicious script although it could be something else like a redirection to harmful website.
Changelog Records Vulnerabilities
The plugins main log of software updates (called a Changelog) makes reference to a Cross Site Request Forgery vulnerability.
The totally free Booster for WooCommerce plugin changelog contains the following notation for version 6.0.1:
“FIXED– EMAILS & MISC.– General– Repaired CSRF problem for Booster User Roles Changer.
FIXED– Included Security vulnerability fixes.”
Users of the plugin need to think about updating to the extremely newest version of the plugin.
Read the advisory at the U.S. Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan website
Booster for WooCommerce– Reflected Cross-Site Scripting
Included image by SMM Panel/Asier Romero