The Popular WooCommerce Booster plugin covered a Reflected Cross-Site Scripting vulnerability, impacting up to 70,000+ websites utilizing the plugin.
Booster for WooCommerce Vulnerability
Booster for WooCommerce is a popular all-in-one WordPress plugin that uses over 100 functions for tailoring WooCommerce stores.
The modular bundle provides all of the most vital performances essential to run an ecommerce shop such as a custom payment entrances, shopping cart customization, and personalized rate labels and buttons.
Shown Cross Site Scripting (XSS)
A reflected cross-site scripting vulnerability on WordPress generally occurs when an input expects something particular (like an image upload or text) but permits other inputs, including destructive scripts.
An assailant can then execute scripts on a website visitor’s internet browser.
If the user is an admin then there can be a potential for the aggressor stealing the admin credentials and taking control of the site.
The non-profit Open Web Application Security Job (OWASP) describes this sort of vulnerability:
“Shown attacks are those where the injected script is shown off the web server, such as in an error message, search results page, or any other action that consists of some or all of the input sent out to the server as part of the demand.
Reflected attacks are delivered to victims by means of another route, such as in an e-mail message, or on some other website.
… XSS can trigger a variety of problems for completion user that vary in intensity from an annoyance to complete account compromise.”
As of this time the vulnerability has not been assigned a seriousness ranking.
This is the main description of the vulnerability by the U.S. Government National Vulnerability Database:
“The Booster for WooCommerce WordPress plugin prior to 5.6.3, Booster Plus for WooCommerce WordPress plugin prior to 6.0.0, Booster Elite for WooCommerce WordPress plugin prior to 6.0.0 do not leave some URLs and specifications prior to outputting them back in attributes, causing Shown Cross-Site Scripting.”
What that implies is that the vulnerability involves a failure to “leave some URLs,” which suggests to encode them in special characters (called ASCII).
Getting away URLs implies encoding URLs in an anticipated format. So if a URL with a blank space is encountered a website might encoded that URL using the ASCII characters “%20” to represent the encoded blank area.
It’s this failure to properly encode URLs which enables an aggressor to input something else, presumably a malicious script although it might be something else like a redirection to harmful site.
Changelog Records Vulnerabilities
The plugins main log of software application updates (called a Changelog) makes reference to a Cross Site Request Forgery vulnerability.
The complimentary Booster for WooCommerce plugin changelog includes the following notation for variation 6.0.1:
“FIXED– EMAILS & MISC.– General– Fixed CSRF concern for Booster User Roles Changer.
REPAIRED– Included Security vulnerability repairs.”
Users of the plugin must consider upgrading to the very newest version of the plugin.
Read the advisory at the U.S. Government National Vulnerability Database
Check out a summary of the vulnerability at the WPScan website
Booster for WooCommerce– Shown Cross-Site Scripting
Included image by Best SMM Panel/Asier Romero