RIPS Technologies found a problem with the work of WordPress and the popular e-commerce WooCommerce plugin. Researchers explain that there are two problems here.
The first problem is that WordPress installs a plugin that does not create its own authentication system, but uses the existing CMS privilege system. To do this, the plugin creates a new role with the new WordPress features, and then limits its interaction with the CMS settings and other users through its own functions.
So, when installing WooCommerce, a new role for Shop Manager (“store manager”) is created, which has edit_users rights. It allows the user to edit any posts and profiles of other WordPress users, including the administrator.
WooCommerce developers have provided a feature that prohibits users from interfering with administrator profiles. But due to a flaw in the operation of the privilege management system of plugins, when WooCommerce is disabled, the function restricting “store managers” ceases to function, and users with this role can freely edit accounts of other users.
As a result, the only reliable way to disable the plugin is to disable it by the administrator, and better to delete all of its files. And here comes the second problem.
RIPS Technologies analysts have discovered a bug related to deleting WooCommerce files of version 3.4.5 and lower. Users with Shop Manager privileges can delete any plugin file, including those that are critical to its operation. After that, the plugin predictably stops working, WordPress will automatically disable it, and the situation will return to the above, when a user with the role of Shop Manager has the ability to edit the profiles of any users. The researchers explain that in such a situation for the attacker will not be difficult to capture the administrator account, and hence control over the entire site.
Experts emphasize that in order to successfully operate this scheme, an attacker will need to have access to an account with the role of a Shop manager. However, this is achievable through XSS vulnerabilities or phishing attacks.
WooCommerce developers have already eliminated the problem by releasing a new version of the plugin (3.4.6). Experts recommend that users check for plugin updates and make sure they work with the latest versions of WooCommerce.