WooCommerce Extension – Reflected XSS Vulnerability

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On November 1, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.

We sent the full disclosure details on November 4, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 8, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Preview E-Mails for WooCommerce”, which is version 2.0.1 at the time of this publication.

Description: Reflected Cross-Site Scripting
Affected Plugin: Preview E-mails for WooCommerce
Plugin Slug: woo-preview-emails
Affected Versions: <= 1.6.8
CVE ID: CVE-2021-42363
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.0.0

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

As part of the plugin’s functionality, there is a feature to search orders and to generate an email preview based upon a specific order, so that an administrator or shop manager can see exactly what a specific user sees for the emails that get sent out. Unfortunately, the search_orders parameter, used to conduct the search, was reflected to the page and had no input sanitization or escaping upon output which made it possible for users to supply arbitrary scripts that would execute in the browser when the page was accessed with the payload set in the search_orders parameter.

                 <select name="search_order" id="woo_preview_search_orders" class="woo_preview_search_orders" class="regular-text" style="width: 35%;">
					<?php
					if ( ! empty( $_POST['search_order'] ) ) {
						?>
                        <option value="<?php echo $_POST['search_order']; ?>" selected="selected">#order : <?php echo $_POST['search_order']; ?></option>
						<?php
					}
					?>

This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site.

Timeline

November 1, 2021 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the Preview E-mails for WooCommerce plugin. We validate that the Wordfence Firewall provides complete protection. We initiate contact with the developer.
November 3, 2021 – The developer confirms the inbox for handling the discussion.
November 4, 2021 – We send over the full disclosure details.
November 8, 2021 – A fully patched version of the plugin is released as version 2.0.0.

Conclusion

In today’s post, we detailed a flaw in the Preview E-mails for WooCommerce plugin that made it possible for attackers to inject malicious web scripts into a page that would execute if an attacker successfully tricked a site administrator into performing an action. This flaw has been fully patched in version 2.0.0.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.0.1 at the time of this publication.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected by the Wordfence firewall’s built-in XSS protection.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

Did you enjoy this post? Share it!

Comments

2 Comments
  • The patch release date is incorrect in the Timeline section and should be November instead of October.

    • Hi Jos, thanks for pointing that out! I've gone ahead and updated the post.