If you are running the 2.0.35 version of WooCommerce’s “Product Vendors” plugin then your business is at risk! This replicated cross site scripting vulnerability was reported recently and it was found on a particular field in the sign-up form for new vendors.
As per report, “the WooCommerce plugin is used by approximately 28% of all online stores.”
A patched version 2.0.36 was released to fix the vulnerability issue. The latest version of Product Vendor’s plugin is 2.0.40. If your website configuration doesn’t allow automatic updates or you haven’t manually upgraded the version yet, then your online store might be at risk.
How this vulnerability poses risk?
A hacker can hijack an active session of the vendor accessing the product website via sending a custom created link to them. They could send an email with the crafted link to established vendors on a product website using WooCommerce. Once the vendor logs in and clicks on the link, the hacker get the session information and can run their script on the vendor’s browser to take control of any functionality they have. Further, an attacker can get administrator privileges by hijacking sessions, which could be catastrophic!
Is your site’s plugin at risk?
If you are using any security plugin like Wordfence then you may not have to worry about it. They offer advanced XSS protection for all their users both free and paid. But if you don’t have any security plugin that offers XSS protection and your plugin version isn’t updated, your site is open for an attack. As this vulnerability has been made public, more attackers know about it and the chances of attacks are more.
SEE ALSO: 5 WORDPRESS TRENDS TO LOOK FOR IN 2017
Need to know more about WordPress security?
If you’ve no idea about XSS vulnerabilities, you can get in touch with our expert WordPress Developers at Primotech. Our team of certified WordPress developers can help you understand scripting vulnerabilities and how you can keep your WooCommerce site safe. They can help validate your data and even update your plugins to avoid any security vulnerabilities.
For more information, contact us!