E-commerce web sites victimization the WordPress plugin Discount Rules for WooCommerce area unit being urged to patch 2 high-severity cross-site scripting flaws that would permit associate degree assaulter to hijack. The two vulnerabilities are tied to the plugin developer’s implementation of Asynchronous JavaScript and XML (AJAX) code.

As per Flycart Technologies, Discount Rules for WooCommerce allows the three.3 million active WooCommerce merchants to use the add-on to contour client discounts and manage dynamic rating. Researchers estimate Discount Rules for WooCommerce is active on associate degree calculable 40,000 sites running the WooCommerce ASCII text file platform.

Researchers establish the issues as an “authorization bypass resulting in keep cross-site scripting” bugs. The issues gave hackers a springboard to associate degree ultimate compromise of a targeted web site. In addition, the flaw “allowed any web site visitant to feature, modify, and delete” Ajax rules, permitting them to look at any existing coupons. 20, researchers notified Flycart of the failings impacting version 2 (V2) of Discount Rules for WooCommerce. 22, Flycart free associate degree “interim” answer – affording partial protection from associate degree attack.

“The vulnerabilities that were originally patched within the plugin were mythical being actions gift within the ‘v2’ codebase of the plugin… sadly, the plugin maintained a separate ‘v1’ codebase containing. Anyone visiting the positioning may switch between the v1 and v2 codebase by visiting any page on the positioning and adding a awdr_switch_plugin_to question string parameter set to v1

Once the plugin was set to use the “v1” codebase, they wrote, “a range of mythical being actions became obtainable providing similar practicality to the patched actions in ‘v2’.”

“For example, associate degree assaulter may send a POST request to wp-admin/admin-ajax.php with the action set to savePriceRule or saveCartRule and inject malicious JavaScript into one amongst the fields of a reduction rule by adding it to the info parameter. Successive time associate degree administrator viewed or altered discount rules, the malicious JavaScript would be dead in their browser.

Doing this may lead to web site takeover by adding a backdoor to plugin or theme files, adding a malicious administrator, or any range of alternative actions,” Wordfence wrote. Flycart releases a second patch that self-addressed the vulnerabilities, however left the version change practicality liable to cross website request forgery attacks, researchers aforementioned. Fylcart discharged a patch that self-addressed each Discount Rules for WooCommerce problems, aforementioned researchers.

India-based Flycart Technologies has not nevertheless skillful press inquiries requesting comment for this report. It’s unclear if WooCommerce website operators can have to be compelled to transfer patches for the Discount Rules for WooCommerce or if the plugin can receive an automatic update.