Severe Vulnerability Patched In WooCommerce Currency Switcher

During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability. 

This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.

We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.

Details

Plugin Name: WOOCS – WooCommerce Currency Switcher
Plugin URI: https://wordpress.org/plugins/woocommerce-currency-switcher/
Author: PluginUs.net

The Vulnerability

Due to the seriousness of this vulnerability, and the number of affected sites, we will delay posting the proof of concept to give users time to upgrade.

Authenticated Local File Inclusion

Affected Versions: < 1.3.7
CVE-ID: CVE-2021-24566
CVSSv3.1: 9.9
CWE: CWE-98
CWSS: 96.5

public function render_html($pagepath, $data = array()) {
    @extract($data);
    ob_start();
    include($pagepath);
    return ob_get_clean();
}

The render_html method, which is used by the [woocs] shortcode to display the currency switcher on a page, does not correctly handle arguments sent to PHP’s extract function. 

//[woocs]
    public function woocs_shortcode($args) {
        if (empty($args)) {
            $args = array();
        }
 
        $args['shortcode_params'] = $args;
 
        if (isset($args['sd']) AND intval($args['sd']) > 0) {
            wp_enqueue_style('woocs-sd-selectron23', WOOCS_LINK . 'css/sd/selectron23.css', [], WOOCS_VERSION);
            wp_enqueue_script('woocs-sd-selectron23', WOOCS_LINK . 'js/sd/selectron23.js', [], WOOCS_VERSION);
            wp_enqueue_script('woocs-sd-front', WOOCS_LINK . 'js/sd/front.js', ['woocs-sd-selectron23'], WOOCS_VERSION);
 
            if ($this->shop_is_cached) {
                wp_enqueue_script('woocs-sd-front-cache', WOOCS_LINK . 'js/sd/front-cache.js', ['woocs-sd-front'], WOOCS_VERSION);
            }
 
            global $WOOCS_SD;
            $args['sd_id'] = intval($args['sd']);
            $args['sd_settings'] = $WOOCS_SD->get(intval($args['sd']));
        }
 
        return $this->render_html(WOOCS_PATH . 'views/shortcodes/woocs.php', $args);
    }

Since $data contains all of the shortcode’s attributes, $pagepath can be overwritten with arbitrary file paths, which will then be included in the site’s execution context.

Since WordPress allows any logged-in users to render shortcodes, regardless if they have post-editing privileges or not, this is a pretty severe bug. 

Proof of concept

To be released.

Timeline

2021-07-09 – Initial contact with PluginUs.net
2021-07-14 – We sent them details about this vulnerability
2021-07-15 – PluginUs.net sendt us a tentative patch, and scheduled release on the 19th
2021-07-19 – WooCommerce Currency Switcher version 1.3.7 was released

Conclusion

We recommend that you check which version of the WooCommerce Currency Switcher plugin you are using on your site, and if it is less than 1.3.7 update it as soon as possible! 

At Jetpack we work hard to make sure your websites are protected from these types of vulnerabilities. To stay one step ahead of any new threats, check out Jetpack Scan, which includes security scanning and automated malware removal.

Credits

Original researcher: Marc Montpas

Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. Also, thanks to PluginUs.net for swiftly addressing this issue and releasing the updated version.

This entry was posted in Vulnerabilities. Bookmark the permalink.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,162 other followers

  • Browse by topic

  • %d bloggers like this: