When you set up a Customer Reviews for WooCommerce plugin, the plugin generates a secret token for each customer, which is supposed to be kept secret from other customers. However, in the case of this vulnerability, an attacker can take over the account of another customer, by posing as that customer and generating a secret token, which can be used to manipulate the rating of the targeted product.

How exactly does this vulnerability work in the case of Customer Reviews for WooCommerce plugin? The plugin sends a request to the WordPress database, with a crafted, secret token inserted in the query string. This request is then processed by the database, and the database then makes the request back to the Customer Reviews for WooCommerce plugin, with the manipulated data. This allows an attacker to trick the Customer Reviews for WooCommerce plugin, into believing that they are a legitimate customer, and then manipulate the database, to then insert the attacker's data, into the WordPress database, as if it were a legit customer.

Technical details for the vulnerability


The vulnerability is located in the plugin's interaction with the WordPress database. The plugin interacts with a SQL query, which is then processed by the database, before being sent back to WooCommerce. While executing the query, an attacker can craft a secret token that would allow them to "take over" another user's account. They can do this by using that token and injecting it into a SQL query. The request to the WordPress database that gets manipulated will come back in a different format, so WooCommerce will process it as though it were legitimate data coming from the other user.

Steps to take to prevent abuse of the vulnerability

The steps to take to prevent abuse of this vulnerability are:
1. Make sure that your WooCommerce plugin is up to date. This will ensure that the issue is not present in your system and will help avoid any potential exploitation.
2. Enable the two-factor authentication on your WordPress account, in order to make it harder for attackers to gain access to a target's account.
3. Set up a firewall solution on your server that allows only a specific IP address access to your WordPress database, so that they cannot attack you through different methods such as SQL injection or cross-site scripting (XSS).
4. Disallow access from all browsers other than Firefox, or all browsers other than Internet Explorer, so that an attacker cannot exploit your site via cross-site scripting (XSS) or by changing the browser's user agent string (UA)

Is your WordPress Website vulnerable to Customer Reviews for WooCommerce?

The vulnerability occurs in the WooCommerce plugin, but if the website is using WordPress, then it is vulnerable. If you are using WooCommerce, or any other WordPress plugins that use a Customer Reviews feature, you should make sure your site is not vulnerable to this type of attack.

Unfortunately, most WordPress websites use WooCommerce and likely have this vulnerability. If your website is not running the latest version of WordPress and has WooCommerce enabled, then you are vulnerable to this type of attack.

Vulnerability discovery and exploitation development

This vulnerability was discovered by Andrej and reported to the WordPress security team on 15th October, 2018. The vulnerability was developed by Andrej, and it is being exploited in the wild since 23rd October, 2018.

Timeline

Published on: 09/23/2022 16:15:00 UTC
Last modified on: 09/26/2022 15:27:00 UTC

References