The plugin named “Variation Swatches for WooCommerce,” installed across 80K WordPress powered retail sites, has a stored cross-site scripting (XSS) security vulnerability that could allow attackers to inject malicious web scripts and take over sites.
It is designed to allow retailers using the WooCommerce platform for WordPress sites to show different versions of the same product, like a sweater in several colors. The vulnerable versions can also give users without admin permissions like customers or subscribers access to the plugin’s settings.
The plugin registered the ‘tawcvs_save_settings,’ ‘update_attribute_type_setting’ and ‘update_product_attr_type’ functions, which were all hooked to various AJAX actions,”
Giving low level users access to the “tawcvs_save_settings” function is particularly concerning, because that access can be used to update the plugin’s settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.
Malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor, which in turn would grant the attacker the ability to completely take over a site.
The vulnerability (CVE-2021-42367) affected all users of the plugin until Nov. 23, when it was patched in the new 2.1.2 version. To remain protected users are requested to update the plugin in the website.