The Popular WooCommerce Booster plugin patched a Reflected Cross-Site Scripting vulnerability, impacting approximately 70,000+ websites using the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that provides over 100 functions for customizing WooCommerce stores.
The modular bundle offers all of the most necessary functionalities necessary to run an ecommerce store such as a custom-made payment gateways, shopping cart customization, and customized price labels and buttons.
Reflected Cross Site Scripting (XSS)
A reflected cross-site scripting vulnerability on WordPress typically occurs when an input expects something specific (like an image upload or text) however permits other inputs, consisting of destructive scripts.
An attacker can then execute scripts on a site visitor’s web browser.
If the user is an admin then there can be a capacity for the aggressor taking the admin qualifications and taking over the site.
The non-profit Open Web Application Security Job (OWASP) explains this type of vulnerability:
“Shown attacks are those where the injected script is reflected off the web server, such as in a mistake message, search result, or any other reaction that includes some or all of the input sent out to the server as part of the request.
Shown attacks are provided to victims via another route, such as in an e-mail message, or on some other site.
… XSS can trigger a range of issues for completion user that range in seriousness from an inconvenience to finish account compromise.”
Since this time the vulnerability has actually not been appointed a severity ranking.
This is the official description of the vulnerability by the U.S. Federal Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not get away some URLs and criteria prior to outputting them back in attributes, causing Shown Cross-Site Scripting.”
What that means is that the vulnerability involves a failure to “get away some URLs,” which indicates to encode them in special characters (called ASCII).
Getting away URLs suggests encoding URLs in an expected format. So if a URL with a blank area is come across a website may encoded that URL utilizing the ASCII characters “%20” to represent the encoded blank space.
It’s this failure to appropriately encode URLs which allows an attacker to input something else, most likely a destructive script although it could be something else like a redirection to destructive website.
Changelog Records Vulnerabilities
The plugins main log of software application updates (called a Changelog) refers to a Cross Website Demand Forgery vulnerability.
The totally free Booster for WooCommerce plugin changelog includes the following notation for version 6.0.1:
“FIXED– EMAILS & MISC.– General– Repaired CSRF issue for Booster User Roles Changer.
FIXED– Included Security vulnerability repairs.”
Users of the plugin should consider updating to the very newest variation of the plugin.
Read the advisory at the U.S. Government National Vulnerability Database
Read a summary of the vulnerability at the WPScan website
Booster for WooCommerce– Reflected Cross-Site Scripting
Included image by Best SMM Panel/Asier Romero