As per Flycart Technologies, Discount Rules for WooCommerce allows the three.3 million active WooCommerce merchants to use the add-on to contour client discounts and manage dynamic rating. Researchers estimate Discount Rules for WooCommerce is active on associate degree calculable 40,000 sites running the WooCommerce ASCII text file platform.
Researchers establish the issues as an “authorization bypass resulting in keep cross-site scripting” bugs. The issues gave hackers a springboard to associate degree ultimate compromise of a targeted web site. In addition, the flaw “allowed any web site visitant to feature, modify, and delete” Ajax rules, permitting them to look at any existing coupons. 20, researchers notified Flycart of the failings impacting version 2 (V2) of Discount Rules for WooCommerce. 22, Flycart free associate degree “interim” answer – affording partial protection from associate degree attack.
“The vulnerabilities that were originally patched within the plugin were mythical being actions gift within the ‘v2’ codebase of the plugin… sadly, the plugin maintained a separate ‘v1’ codebase containing. Anyone visiting the positioning may switch between the v1 and v2 codebase by visiting any page on the positioning and adding a awdr_switch_plugin_to question string parameter set to v1
Once the plugin was set to use the “v1” codebase, they wrote, “a range of mythical being actions became obtainable providing similar practicality to the patched actions in ‘v2’.”
Doing this may lead to web site takeover by adding a backdoor to plugin or theme files, adding a malicious administrator, or any range of alternative actions,” Wordfence wrote. Flycart releases a second patch that self-addressed the vulnerabilities, however left the version change practicality liable to cross website request forgery attacks, researchers aforementioned. Fylcart discharged a patch that self-addressed each Discount Rules for WooCommerce problems, aforementioned researchers.
India-based Flycart Technologies has not nevertheless skillful press inquiries requesting comment for this report. It’s unclear if WooCommerce website operators can have to be compelled to transfer patches for the Discount Rules for WooCommerce or if the plugin can receive an automatic update.