Flaw in popular add-on allows any logged-in customer to achieve admin status
A critical vulnerability in a WordPress plugin with more than 70,000 active installations could grant an attacker full administrative access, including the ability to modify and takeover a site’s database.
The bug in TI WooCommerce Wishlist has been patched in the latest version (1.21.12). Users are being urged to update as soon as possible, as the vulnerability is currently being exploited in the wild.
Security researchers from NinTechNet described how a lack of a capability check and other flaws could enable a malicious actor to take control of a target site running the plugin.
A blog post reads: “The plugin has an import function in the ti-woocommerce-wishlist/includes/export.class.php script, loaded with the WordPress admin_action_ hook, that lacks a capability check and security nonce, allowing an authenticated user to modify the content of the WordPress options table in the database.
“Hackers use it to enable registration by setting the users_can_register option and then create an admin account by changing the default_role option to administrator.”
Despite the fact that WooCommerce blocks non-admin users from entering the WordPress administrative dashboard by default, a bad actor could also bypass the restriction.
“Because WooCommerce allows customer registration, any logged-in customer can exploit this vulnerability,” NinTechNet said.
TI WooCommerce Wishlist is a tool used by e-commerce sites that enables customers to add products to a wishlist.
Data suggests that there are around 70,000 active installations. More than half of these have updated to at least version 1.21, though it isn’t clear how many users are using the most up-to-date release.
This indicates that thousands of users could be vulnerable to attack.