Do you use WooCommerce to power your WordPress e-commerce site?
If you do, you’re in good company.
Figures compiled in January 2019 suggest that more than 2.9 million websites worldwide are powered by WooCommerce, which equates to about 0.6 percent of all websites globally.
New Critical Security Risk
WooCommerce users are being urged to check their plug-ins as soon as possible after a dangerous exploit was identified earlier this week.
Before we get into what the dangers are and the actions you should urgently take, it’s important to understand the main players.
Automattic vs Visser Labs
WooCommerce is owned and created by the private company Automattic. Yes, that’s the same company that owns and runs WordPress.com, the done-for-you WordPress installation and hosting service for those people who don’t feel comfortable navigating the technology to host and run their own WordPress installation. Find out more about the difference between WordPress.com and WordPress.org here.
The WooCommerce platform remains as solid and vulnerability-free as ever, leaving most users breathing a sigh of relief. However, a completely separate plug-in by the name of WooCommerce Checkout Manager, which extends the functionality of WooCommerce by allowing users to customize their online shopping cart checkout pages, is the subject of the latest security risk scandal.
Despite having a similar sounding name, the WooCommerce Checkout Manager plug-in is completely separate from WooCommerce and Automattic. It’s owned and maintained by Visser Labs, which offers a suite of plug-ins designed to supplement existing e-commerce solutions.
Could You Be Affected?
This means that if you run WooCommerce on your WordPress site but do not have any additional plug-ins to supplement WooCommerce – WooCommerce Checkout Manager in particular – you don’t need to worry about this latest critical security risk. However, given their very similar sounding names, it could be easy to assume that WooCommerce Checkout Manager is part of WooCommerce itself, rather than a completely separate and independent plug-in created by a different entity.
Early estimates put the number of current installations of the WooCommerce Checkout Manager plug-in at approximately 60,000, a tiny proportion of the more than 2.9 million WooCommerce users overall.
This means that most WooCommerce websites do not also use the WooCommerce Checkout Manager plug-in, but it also means that there are currently 60,000 websites at risk. If you’re not sure whether you’re using the plug-in or not, take a moment right now to log in to your site and check your list of plug-ins to find out for sure.
Understanding The Risk
The problem lies in a file upload vulnerability within the plug-in, which allows any user – even one not registered on the website – to upload a file without any permission checks or privileges required. The problem exists within one of the plug-in’s many options known as “Categorize Uploaded Files”, which allows for files to be uploaded without any privileges or permissions.
Armed with this information, hackers can easily gain admin access, modify data, or upload .php exploits, potentially putting all registered users of affected WordPress sites at risk.
Early Disclosure
You may be thinking that it’s unusual for full details of an exploit to be immediately available to the public. The details of the security flaw – along with a full proof-of-concept exploit – have been made available by a security company known as Plugin Vulnerabilities who have recently started publishing full details and proofs-of-concept for all flaws and vulnerabilities they expose. These actions are their way of protesting against moderators in the official support forum WordPress, who they say delete their posts, putting numerous websites at risk.
The rules of the WordPress support forum state that issues and vulnerabilities must be reported directly to the plug-in creators before being publicly disclosed. However, Plugin Vulnerabilities maintains that plug-in creators ignore their messages, or the messages are deleted by forum staff.
Whether the security company’s methods are good or bad for the WordPress community is a hotly debated topic, but for now at least WooCommerce users who have customized their WordPress sites with WooCommerce Checkout Manager plug-in are forearmed with the information they need.
What’s Been Done to Solve the Problem?
Unfortunately, very little has been done. The security risk was discovered less than a week ago, and in that time Visser Labs have refused to make any public comments on the problem. Instead, they have removed the plug-in from the WordPress.org directory, simply stating that the plug-in was “closed on April 26, 2019 and is no longer available for download”. While this action does ensure that no new WordPress sites can install the at-risk plug-in, it does nothing to help the 60,000 websites currently running the plug-in – many of which may not realize the danger their website now poses to itself and its users.
What Do You Need to Do?
If you are one of the 60,000 websites currently using WooCommerce Checkout Manager, the best step you could take to secure your website is to disable the plug-in completely. If this would prove problematic or you’re not in a position to disable it immediately, you can buy yourself some time by accessing the settings page of the plug-in and disabling the “Categorize Uploaded Files” option.
However, this should only be considered a short-term solution until you can find another way to achieve the same effects that the WooCommerce Checkout Manager has had on your site. By all accounts, the plug-in is unsafe: it leaves WordPress sites open to exploitation and should be uninstalled as quickly as possible.
If you have any questions or concerns about this security risk or anything else relating to your WordPress site, contact us today. The team at FuelThemes are happy to assist with any queries relating to premium WordPress themes, WordPress plug-ins and tools, and anything else WordPress-related.