During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability.
This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.
We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.
Details
Plugin Name: WOOCS – WooCommerce Currency Switcher
Plugin URI: https://wordpress.org/plugins/woocommerce-currency-switcher/
Author: PluginUs.net
The Vulnerability
Due to the seriousness of this vulnerability, and the number of affected sites, we will delay posting the proof of concept to give users time to upgrade.
Authenticated Local File Inclusion
Affected Versions: < 1.3.7
CVE-ID: CVE-2021-24566
CVSSv3.1: 9.9
CWE: CWE-98
CWSS: 96.5
public function render_html($pagepath, $data = array()) {
@extract($data);
ob_start();
include($pagepath);
return ob_get_clean();
}
The render_html method, which is used by the [woocs] shortcode to display the currency switcher on a page, does not correctly handle arguments sent to PHP’s extract function.
//[woocs]
public function woocs_shortcode($args) {
if (empty($args)) {
$args = array();
}
$args['shortcode_params'] = $args;
if (isset($args['sd']) AND intval($args['sd']) > 0) {
wp_enqueue_style('woocs-sd-selectron23', WOOCS_LINK . 'css/sd/selectron23.css', [], WOOCS_VERSION);
wp_enqueue_script('woocs-sd-selectron23', WOOCS_LINK . 'js/sd/selectron23.js', [], WOOCS_VERSION);
wp_enqueue_script('woocs-sd-front', WOOCS_LINK . 'js/sd/front.js', ['woocs-sd-selectron23'], WOOCS_VERSION);
if ($this->shop_is_cached) {
wp_enqueue_script('woocs-sd-front-cache', WOOCS_LINK . 'js/sd/front-cache.js', ['woocs-sd-front'], WOOCS_VERSION);
}
global $WOOCS_SD;
$args['sd_id'] = intval($args['sd']);
$args['sd_settings'] = $WOOCS_SD->get(intval($args['sd']));
}
return $this->render_html(WOOCS_PATH . 'views/shortcodes/woocs.php', $args);
}
Since $data contains all of the shortcode’s attributes, $pagepath can be overwritten with arbitrary file paths, which will then be included in the site’s execution context.
Since WordPress allows any logged-in users to render shortcodes, regardless if they have post-editing privileges or not, this is a pretty severe bug.
Proof of concept
To be released.
Timeline
2021-07-09 – Initial contact with PluginUs.net
2021-07-14 – We sent them details about this vulnerability
2021-07-15 – PluginUs.net sendt us a tentative patch, and scheduled release on the 19th
2021-07-19 – WooCommerce Currency Switcher version 1.3.7 was released
Conclusion
We recommend that you check which version of the WooCommerce Currency Switcher plugin you are using on your site, and if it is less than 1.3.7 update it as soon as possible!
At Jetpack we work hard to make sure your websites are protected from these types of vulnerabilities. To stay one step ahead of any new threats, check out Jetpack Scan, which includes security scanning and automated malware removal.
Credits
Original researcher: Marc Montpas
Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. Also, thanks to PluginUs.net for swiftly addressing this issue and releasing the updated version.
Jetpack 