Posted on November 6, 2018

WooCommerce patch released addressing WordPress design flaw

A researcher at RIPS Technologies GmbH, Simon Scannell, detected and reported a file deletion vulnerability in WooCommerce, a very popular WordPress plugin for e-shops, that allows shop managers to delete certain files and then take over any administrator account.

This vulnerability was fixed is version 3.4.6 that was released on October 11, 2018. If you’ve already updated to version 3.4.6, the good news for you is your job is done. If you haven’t yet updated, download the latest release or go to your dashboard > Updates to complete the update.

If you are subscribed to our Managed WordPress Hosting automatic updates, this patch would have been applied automatically for you.

Details of this Vulnerability

While this patch addresses WooCommerce specifically, the flaw exposes a design flaw in how WordPress handles privileges.  The exploiting this file delete vulnerability can elevate the file delete in to a remote code execution vulnerability.

In plain language, if someone was to gain control of the user role shop manager (through a XSS vulnerability or phishing attack), by exploiting this vulnerability the shop manager can then take over any administrator account an execute whatever code they desire to further compromise your WordPress installation.

While any vulnerability is important to patch, the slightly good news with this potential exploit is that they do require access to the shop manager.

What is WooCommerce

WooCommerce is an immensely popular plugin for WordPress, with estimates of approximately 3.3 million online e-shops using WooCommerce worldwide.

It provides a very scalable and flexible solution that allows you sell basically anything that you offer and integrate shipping and payments as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trusted by Clients Across All Industries

Don’t take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

The Fullhost team was a huge help in getting the website moved over and set up in a way in which we could correct the technical issues. They were quick, helpful and technically knowledgeable.

" Canadian Sport Institute Pacific Noah Wheelock

Our organization Has been working with FullHost for a couple of years now, and we have been thrilled with the service.

" Canadian Centre for International Justice / Philippe Kirsch Institute Pearl Eliadis

Exceptional is the word when it comes to FullHost. I started my own business and in the jungle of applications, licenses and registrations, FullHost had my back.

" Statsmen Matthias Bass

The customer service and support staff that I have dealt with have all been great. The move from my previous host was smooth thanks to the support staff at Full Host who moved my files over.

" Moose Web Design - Michelle Nortje

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.