Vulnerabilities In WooCommerce And Dokan Pro Plugins

Jun 13, 2024 06:15 AM - 7 months ago 150268

WooCommerce published an advisory astir an XSS vulnerability while Wordfence simultaneously advised astir a captious vulnerability successful a WooCommerce plugin named Dokan Pro. The advisory astir Dokan Pro warned that a SQL Injection vulnerability allows unauthenticated attackers to extract delicate accusation from a website database.

Dokan Pro WordPress Plugin

The Dokan Pro plugin allows personification to toggle shape their WooCommerce website into a multi-vendor marketplace akin to sites for illustration Amazon and Etsy. It presently has complete 50,000 installations Plugin versions up to and including 3.10.3 are vulnerable.

According to WordFence, type 3.11.0 represents nan afloat patched and safest version.

WordPress.org lists nan existent number of plugin installations of nan lite type astatine complete 50,000 and a full all-time number of installations of complete 3 million. As of this infinitesimal only 30.6% of installations were utilizing nan astir up to day version, 3.11 which whitethorn mean that 69.4% of each Dokan Pro plugins are vulnerable.

Screenshot Of Dokan Plugin Download Statistics

Changelog Doesn’t Show Vulnerability Patch

The changelog is what tells users of a plugin what’s contained successful an update. Most plugin and taxable makers will people a clear announcement that an update contains a vulnerability patch. According to Wordfence, nan vulnerability affects versions up to and including version  3.10.3. But nan changelog notation for type 3.10.4 that was released Apr 25, 2024 (which is expected to beryllium patched) does not show that there’s a patch. It’s imaginable that nan patient of Dokan Pro and Dokan Lite didn’t want to alert hackers to nan captious vulnerability.

Screenshot Of Dokan Pro Changelog

CVSS Score 10

The Common Vulnerability Scoring System (CVSS) is an unfastened modular for assigning a people that represents nan severity of a vulnerability. The severity people is based connected really exploitable it is, nan effect of it, positive supplemental metrics specified arsenic information and urgency which together adhd up to a full people from slightest terrible (1) to nan highest severity (10).

The Dokan Pro plugin received a CVSS people of 10, nan highest level severity, which intends that immoderate users of nan plugin are recommended to return contiguous action.

Screenshot Of Dokan Pro Vulnerability Severity Score

Description Of Vulnerability

Dokan Pro was recovered to incorporate an Unauthenticated SQL Injection vulnerability. There are authenticated and unauthenticated vulnerabilities. Unauthenticated intends that an attacker does not request to get personification credentials successful bid to motorboat an attack. Between nan 2 kinds of vulnerabilities, unauthenticated is nan worst lawsuit scenario.

A WordPress SQL Injection vulnerability is 1 successful which a plugin aliases taxable allows an attacker to manipulate nan database. The database is nan bosom of each WordPress website, wherever each password, login names, posts, themes and plugin data. A vulnerability that allows anyone to manipulate nan database is considerably terrible – this is really bad.

This is really Wordfence describes it:

“The Dokan Pro plugin for WordPress is susceptible to SQL Injection via nan ‘code’ parameter successful each versions up to, and including, 3.10.3 owed to insufficient escaping connected nan personification supplied parameter and deficiency of capable mentation connected nan existing SQL query. This makes it imaginable for unauthenticated attackers to append further SQL queries into already existing queries that tin beryllium utilized to extract delicate accusation from nan database.”

Recommended Action For Dokan Pro Users

Users of nan Dokan Pro plugin are recommended to see updating their sites arsenic soon arsenic possible. It’s ever prudent to trial updates earlier their uploaded unrecorded to a website. But owed to nan severity of this vulnerability, users should see expediting this update.

WooCommerce published an advisory of a vulnerability that affects versions 8.8.0 and higher. The vulnerability is rated 5.4 which is simply a mean level threat, and only affects users who person nan Order Attribute characteristic enabled activated. Nevertheless, WooCommerce “strongly” recommends users update arsenic soon arsenic imaginable to nan astir existent type (as of this writing), WooCommerce 8.9.3.

WooCommerce Cross Site Scripting (XSS) Vulnerability

The type of vulnerability that affects WooCommerce is called Cross Site Scripting (XSS) which is simply a type of vulnerability that depends connected a personification (like a WooCommerce shop admin) to click a link.

According to WooCommerce:

“This vulnerability could let for cross-site scripting, a type of onslaught successful which a bad character manipulates a nexus to see malicious contented (via codification specified arsenic JavaScript) connected a page. This could impact anyone who clicks connected nan link, including a customer, nan merchant, aliases a shop admin.

…We are not alert of immoderate exploits of this vulnerability. The rumor was primitively recovered done Automattic’s proactive information investigation programme pinch HackerOne. Our support teams person received nary reports of it being exploited and our engineering squad analyses did not uncover it had been exploited.”

Should Web Hosts Be More Proactive?

Web developer and hunt trading master Adam J. Humphreys, Of Making 8, inc. (LinkedIn profile), feels that web hosts should beryllium much proactive astir patching captious vulnerabilities, moreover though that whitethorn origin immoderate sites to suffer functionality if there’s a conflict pinch immoderate different plugin aliases taxable successful use.

Adam observed:

“The deeper rumor is nan truth that WordPress remains without car updates and a changeless vulnerability which is nan illusion their sites are safe. Most halfway updates are not performed by hosts and almost each azygous big doesn’t execute immoderate plugin updates moreover if they do them until a halfway update is performed. Then location is nan truth astir premium plugin updates will often not execute automatically. Many of which incorporate captious information patches.”

I asked if he meant a push update, wherever an update is forced onto a website.

“Correct, galore hosts will not execute updates until a WordPress halfway update. Softaculous engineers confirmed this for me. WPEngine which claims afloat managed updates doesn’t do it connected nan wave to spot successful a timely manner for said plugins. WordPress without ongoing guidance is simply a vulnerability and yet half of each websites are made pinch it. This is an oversight by WordPress that should beryllium addressed, successful my opinion.”

Read much astatine Wordfence:

Dokan Pro <= 3.10.3 – Unauthenticated SQL Injection

Read nan charismatic WooCommerce vulnerability documentation:

WooCommerce Updated to Address Cross-site Scripting Vulnerability

Featured Image by Shutterstock/New Africa

More