WordPress is the most popular content management systems, and WooCommerce one of the biggest names in e-commerce plugins for the platform with more than 4 million users. Which is why, when a security researcher finds a vulnerability in either, it's kind of big news to web-based businesses. When that vulnerability impacts both it takes on a whole new dimension.
And so it was when Simon Scannell, a self-taught security researcher working at RIPS Technologies, discovered a file deletion vulnerability in WooCommerce. That vulnerability was disclosed and fixed in version 3.4.6 of the WooCommerce plugin. In and of itself it was no big deal. As Scannell writes "Arbitrary file deletion vulnerabilities aren’t considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website." Unless, that is, there is an unpatched design flaw in the privilege system of the WordPress system itself.
A flaw in the way WordPress handles privileges can, it would appear, lead to a worse case privilege escalation scenario in WordPress plugins. How bad might that be? "The vulnerability allows shop managers to delete certain files on the server" Scannell says "and then to take over any administrator account..."
While the vulnerability in the WooCommerce plugin itself was quickly patched, the design flaw in WordPress itself remains. Which is problematical, as all it took for an attacker to be successful with a site takeover was a vulnerable plugin and 'shop manager' privileges which could be obtained via XSS vulnerabilities, social engineering, or whatever you fancy. Once exploited, that shop manager could then take over any admin account and execute code at will on the server.
Jon Bottarini, Technical Program Manager II at HackerOne, says that "the default, bare bones installation, of WordPress is quite secure" and the fact that it is open source with a continual development process means that "if you install the basics of WordPress and keep up to date in the security updates you really don’t need to worry too much about being hacked." But this is about plugins and design flaws, so what of them? "You should think of every plugin you install in WordPress as increasing your attack surface" Bottarini responded, adding "and some plugins are built better than others." When it comes to WooCommerce specifically, he reckons that while needing shop manager privileges to exploit the vulnerability is not good, it lowered the severity as giving that level to someone is pretty much an 'everything but admin' role anyway. "I’m not denying that a vulnerability exists, or that it should be downplayed" Bottarini concludes "but the likelihood of an admin giving shop manager privileges to an unknown user is rare, and this should be considered as a mitigating factor when considering this vulnerability and its widespread implications."
Nicholas Griffin, Senior Cyber Security Specialist at Performanta, is less forgiving. "This is a classic example of a system 'failing open' without performing sufficient checks" he says. Unless it absolutely cannot be helped, failing open should never come at the cost of degraded security Griffin points out. "Here we see that by simply deleting a file on WordPress, the appropriate permissions checks fail to run" Griffin warns, adding "if a plugin needs to check (and may modify) the permissions of existing roles, then the WordPress platform should fail closed if the plugin fails to load..."