The Popular WooCommerce Booster plugin covered a Shown Cross-Site Scripting vulnerability, impacting approximately 70,000+ sites using the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that uses over 100 functions for customizing WooCommerce stores.
The modular bundle provides all of the most essential performances needed to run an ecommerce store such as a customized payment gateways, shopping cart personalization, and customized cost labels and buttons.
Shown Cross Website Scripting (XSS)
A reflected cross-site scripting vulnerability on WordPress normally takes place when an input expects something particular (like an image upload or text) but allows other inputs, including harmful scripts.
An assailant can then perform scripts on a website visitor’s browser.
If the user is an admin then there can be a capacity for the aggressor stealing the admin credentials and taking control of the site.
The non-profit Open Web Application Security Job (OWASP) explains this kind of vulnerability:
“Reflected attacks are those where the injected script is reflected off the web server, such as in a mistake message, search engine result, or any other response that includes some or all of the input sent out to the server as part of the demand.
Shown attacks are delivered to victims by means of another route, such as in an e-mail message, or on some other website.
… XSS can trigger a range of problems for completion user that vary in severity from an annoyance to finish account compromise.”
As of this time the vulnerability has actually not been designated a seriousness ranking.
This is the main description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not escape some URLs and parameters before outputting them back in qualities, resulting in Shown Cross-Site Scripting.”
What that implies is that the vulnerability involves a failure to “escape some URLs,” which implies to encode them in unique characters (called ASCII).
Leaving URLs implies encoding URLs in an anticipated format. So if a URL with a blank area is come across a site may encoded that URL using the ASCII characters “%20” to represent the encoded blank area.
It’s this failure to effectively encode URLs which permits an attacker to input something else, most likely a harmful script although it could be something else like a redirection to harmful site.
Changelog Records Vulnerabilities
The plugins main log of software updates (called a Changelog) makes reference to a Cross Website Request Forgery vulnerability.
The free Booster for WooCommerce plugin changelog contains the following notation for variation 6.0.1:
“FIXED– EMAILS & MISC.– General– Fixed CSRF problem for Booster User Roles Changer.
REPAIRED– Included Security vulnerability repairs.”
Users of the plugin should consider updating to the extremely latest variation of the plugin.
Read the advisory at the U.S. Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan site
Booster for WooCommerce– Shown Cross-Site Scripting
Featured image by SMM Panel/Asier Romero