CVE-2021-42367 Vulnerability in Variation Swatches for WooCommerce Plugin
The researchers disclosed the issue responsibly to the plugin’s developers on November 12, 2021. A patch was subsequently released on November 23. It is highly recommended that all Variation Swatches for WooCommerce plugin users install the latest version 2.1.2.
What is the Variation Swatches for WooCommerce plugin designed for? Its purpose is adding variation swatches to products created with WooCommerce, thus allowing show owners to sell multiple variants of the same product. To function properly, the plugin registered various AJAX actions needed to manage settings. However, they were not implemented in a safe manner, allowing threat actors with low-level permissions to update the plugin’s settings and execute malicious code.
“More specifically, the plugin registered the tawcvs_save_settings, update_attribute_type_setting, and update_product_attr_type functions, which were all hooked to various AJAX actions. These three functions were all missing capability checks as well as nonce checks, which provide Cross-Site Request Forgery protection,” Wordfence said.
In other words, any authenticated, low-level users could execute the AJAX actions tied with the functions.
“AJAX actions were used to control the various settings of the plugins, and the tawcvs_save_settings function in particular could be used to update the plugin’s settings to add malicious web scripts, which makes the issue much more severe,” the report added.
What could the consequences of an attack based on CVE-2021-42367 be? Malicious web scrips can be leveraged in various ways, including modifying a plugin or theme file to add a backdoor. A backdoor could grant an attacker the ability to perform a website takeover attack.
In September 2021, Wordfence researchers reported two vulnerabilities in the Gutenberg Template Library & Redux Framework plugin for WordPress, CVE-2021-38312 and CVE-2021-38314. The first vulnerability could allow users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API.
The second vulnerability could enable unauthenticated attackers to access potentially sensitive information regarding a site’s configuration. The bug’s rating is 5.3 on the CVSS scale.