Thousands of WordPress WooCommerce stores potentially exposed to hack

Hackers are attempting to exploit multiple vulnerabilities in the Discount Rules for WooCommerce WordPress plugin, which has 30,000+ installations.

Researchers from security firm WebArx reported that Hackers are actively attempting to exploit numerous flaws in the Discount Rules for WooCommerce WordPress plugin.

The list of vulnerabilities includes SQL injection, authorization flaws, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities.

Discount Rules for WooCommerce is a WordPress plugin that allows users to manage product pricing and discount campaigns on WooCommerce online stores. The plugin has more than 30,000 installations

“The Discount Rules for WooCommerce plugin (versions 2.0.2 and below) suffers from multiple vulnerabilities such as SQL injection, authorization issues and unauthenticated stored cross-site scripting.” reads the post published by security experts.

“In this scenario, the unauthenticated stored cross-site scripting issue could potentially lead to remote code execution.”

Experts observed a wave of attacks attempting to exploit this vulnerability, most of them from the IP address 45[.]140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the woocommerce_before_main_content template hook.

The attackers are attempting to target WooCommerce based sites running outdated versions of the popular plugin.

Experts warn that the vulnerabilities can be exploited by remote attackers to potentially execute arbitrary code on the vulnerable sites and potentially takeover compromised sites.

WebARX reported the flaws to the development team of the Discount Rules plugin on August 7 and on August 13, they released version 2.1.0 to address the vulnerabilities.

The flaws are caused by a lack of nonce token and authorization checks, their exploitation can allow unauthenticated attackers to retrieve a list of all users and coupon codes, inject into any display location, such as the header, footer or any admin page, and trigger remote code execution exploits.

At the time of writing, the plugin has been downloaded over 12,000 times in the last 7 days, this means that more that 17,000 WooCommerce online stores using the Discount Rules plugin are exposed to

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Discount Rules)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.