Researchers from the Wordfence Threat Intelligence team have discovered a vulnerability on Preview E-mails for WooCommerce, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites.

This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

Buy Me a Coffee

As part of the plugin’s functionality, there is a feature to search orders and to generate an email preview based upon a specific order, so that an administrator or shop manager can see exactly what a specific user sees for the emails that get sent out. Unfortunately, the search_orders parameter, used to conduct the search, was reflected to the page and had no input sanitization or escaping upon output which made it possible for users to supply arbitrary scripts that would execute in the browser when the page was accessed with the payload set in the search_orders parameter.

<select name="search_order" id="woo_preview_search_orders" class="woo_preview_search_orders" class="regular-text" style="width: 35%;">
   <?php
   if ( ! empty( $_POST['search_order'] ) ) {
       ?>
       <option value="<?php echo $_POST['search_order']; ?>" selected="selected">#order : <?php echo $_POST['search_order']; ?></option>
       <?php
   }
   ?>

This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site.

READ
Russian Hackers APT28 Exploit WiFi Networks with Sophisticated "Nearest Neighbor Attack"

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.0.1 at the time of this publication.