Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations.
Discount Rules for WooCommerce is a plugin that makes it simple to manage product pricing and discount campaigns on WooCommerce online stores.
“We have seen an influx of attacks against this vulnerability. Primarily from the IP address 45[.]140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the woocommerce_before_main_content template hook,” WebARX CTO Dave Jong who found the vulnerabilities says.
“This seems to indicate that they are attempting to target WooCommerce based sites with this outdated plugin version installed.”
Website takeover risk after successful exploitation
The security flaws found and reported by WebARX could allow the attackers to potentially remotely execute code on the vulnerable sites, execute actions with admin permissions, and potentially takeover compromised sites.
WebARX reported the vulnerabilities to the plugin’s development team on August 7 and, less than a week later, on August 13, version 2.1.0 containing a fix for these issues was released.
Based on Jong’s analysis of these vulnerabilities, they are caused by a lack of nonce token and authorization checks which, if successfully exploited, could allow unauthenticated attackers to retrieve a list of all users and coupon codes, inject XSS into a site’s header, footer, or admin page, and trigger remote code execution exploits.
“A malicious user could inject JavaScript in the admin_head location to execute certain admin actions on the backend,” WebARX CTO Dave Jong told BleepingComputer.
“Another example would be to inject a JavaScript keylogger into the login form to eventually take over an admin account.”
At least 17K online stores exposed to ongoing attacks
The plugin’s developer has addressed the vulnerabilities currently under active attack with the release of Discount Rules for WooCommerce 2.1.0 more than a week ago, on August 13.
Despite that, the plugin has only been downloaded just over 12,000 times within the last 7 days based on historic download data provided by WordPress’ portal, with these numbers representing the total number of updates and new installs.
This suggests that at least 17,000 WordPress-based WooCommerce online stores with active Discount Rules plugin installation are still left exposed to ongoing attacks.
Discount Rules for WooCommerce users should update the plugin to version 2.1.0 as soon as possible to block attacks designed to potentially take over their sites.