In a 6 November blog post, researchers said that if the vulnerability is exploited, it would give shop managers – employees of the store that can manage orders, products and customers – the ability to delete files on the server and take over any administrator account.
The file deletion vulnerability was first detected and reported in WooCommerce. Though not considered critical, the vulnerability was fixed in version 3.4.6. Researchers found that deleting certain plugin files in WordPress can actually lead to a full-site takeover. This can occur if security checks are disabled in an unpatched design flaw within the privilege system of WordPress.
“Affected were over 4 million WooCommerce shops. No other requirements other than an attacker being in control of an account with the user role shop manager were required,” researchers wrote. “Such access could be obtained via XSS vulnerabilities or phishing attacks. Once the vulnerability described here is exploited, the shop manager can take over any administrator account and then execute code on the server.”
To assign privileges, WordPress gives certain capabilities to different roles, such as the shop manager. When this role is defined, it is able to edit customer accounts, which happens during the installation process of the plugin, researchers said. That role is stored as a core setting of WordPress in the database, making it independent of the plugin.
Only privileged users can edit another user, and default settings and meta capabilities that can be added to plugins are only executed when the plugin is active, which researchers identified as a design flaw.
“The issue is that user roles get stored in the database and exist even if the plugin is disabled. This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with ‘edit_users’ to edit any user, even administrators, would occur. This would allow shop managers to update the password of the admin account and then take over the entire site.”