Posted on November 6, 2018

WooCommerce patch released addressing WordPress design flaw

A researcher at RIPS Technologies GmbH, Simon Scannell, detected and reported a file deletion vulnerability in WooCommerce, a very popular WordPress plugin for e-shops, that allows shop managers to delete certain files and then take over any administrator account.

This vulnerability was fixed is version 3.4.6 that was released on October 11, 2018. If you’ve already updated to version 3.4.6, the good news for you is your job is done. If you haven’t yet updated, download the latest release or go to your dashboard > Updates to complete the update.

If you are subscribed to our Managed WordPress Hosting automatic updates, this patch would have been applied automatically for you.

Details of this Vulnerability

While this patch addresses WooCommerce specifically, the flaw exposes a design flaw in how WordPress handles privileges.  The exploiting this file delete vulnerability can elevate the file delete in to a remote code execution vulnerability.

In plain language, if someone was to gain control of the user role shop manager (through a XSS vulnerability or phishing attack), by exploiting this vulnerability the shop manager can then take over any administrator account an execute whatever code they desire to further compromise your WordPress installation.

While any vulnerability is important to patch, the slightly good news with this potential exploit is that they do require access to the shop manager.

What is WooCommerce

WooCommerce is an immensely popular plugin for WordPress, with estimates of approximately 3.3 million online e-shops using WooCommerce worldwide.

It provides a very scalable and flexible solution that allows you sell basically anything that you offer and integrate shipping and payments as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trusted by Clients Across All Industries

Don’t take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.