image
E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem. A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis. “We strongly recommend updating to the latest version of this plugin, currently 2.2.1, as soon as possible, since the consequences of a breach on an e-Commerce site can be severe,” wrote researchers at Wordfence. WooCommerce Self-Serve Coupons The two vulnerabilities are tied to the plugin developer’s implementation of Asynchronous JavaScript and XML (AJAX) code. According to Flycart Technologies, Discount Rules for WooCommerce enables the 3.3 million active WooCommerce merchants to use the add-on to streamline customer discounts and manage dynamic pricing. Researchers estimate Discount Rules for WooCommerce is active on an estimated 40,000 sites running the WooCommerce open-source platform. Researchers identify the flaws as a “authorization bypass leading to stored cross-site scripting” bugs. The flaws gave hackers a springboard to an eventual compromise of a targeted site. Additionally, the flaw “allowed any site visitor to add,…

Source