The Popular WooCommerce Booster plugin covered a Reflected Cross-Site Scripting vulnerability, affecting approximately 70,000+ websites using the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that uses over 100 functions for tailoring WooCommerce shops.
The modular package provides all of the most vital functionalities required to run an ecommerce store such as a customized payment gateways, shopping cart personalization, and personalized cost labels and buttons.
Shown Cross Website Scripting (XSS)
A showed cross-site scripting vulnerability on WordPress generally happens when an input anticipates something specific (like an image upload or text) however allows other inputs, including destructive scripts.
An attacker can then perform scripts on a website visitor’s browser.
If the user is an admin then there can be a potential for the assaulter taking the admin qualifications and taking over the website.
The non-profit Open Web Application Security Project (OWASP) describes this type of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in a mistake message, search engine result, or any other response that consists of some or all of the input sent out to the server as part of the request.
Reflected attacks are delivered to victims through another route, such as in an e-mail message, or on some other site.
… XSS can trigger a variety of issues for completion user that range in severity from an inconvenience to finish account compromise.”
As of this time the vulnerability has actually not been appointed a seriousness ranking.
This is the main description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not leave some URLs and criteria before outputting them back in characteristics, causing Reflected Cross-Site Scripting.”
What that indicates is that the vulnerability includes a failure to “leave some URLs,” which means to encode them in special characters (called ASCII).
Escaping URLs indicates encoding URLs in an expected format. So if a URL with a blank area is encountered a website might encoded that URL using the ASCII characters “%20” to represent the encoded blank space.
It’s this failure to properly encode URLs which enables an aggressor to input something else, probably a malicious script although it might be something else like a redirection to malicious website.
Changelog Records Vulnerabilities
The plugins official log of software application updates (called a Changelog) refers to a Cross Site Demand Forgery vulnerability.
The free Booster for WooCommerce plugin changelog consists of the following notation for variation 6.0.1:
“FIXED– EMAILS & MISC.– General– Repaired CSRF issue for Booster User Roles Changer.
REPAIRED– Included Security vulnerability fixes.”
Users of the plugin should consider upgrading to the really most current version of the plugin.
Read the advisory at the U.S. Federal Government National Vulnerability Database
Check out a summary of the vulnerability at the WPScan site
Booster for WooCommerce– Shown Cross-Site Scripting
Featured image by SMM Panel/Asier Romero