Variation Swatches plugin flaw in WordPress exposed users to attacks

January 17, 2022
Variation Swatches Wordpress Plugin Flaw Vulnerability Cyberattacks WooCommerce Digital Risk

About 80,000 WordPress-powered retail sites with installed Variation Swatches for WooCommerce plugin reportedly contain cross-site scripting (XSS) security vulnerability that threat actors with malicious web scripts can inject to take over victims’ websites.

The Variation Swatches plugin is developed for WooCommerce platform retailers under WordPress to showcase their products having different versions, such as colours and aesthetics. However, security analysts discovered that the WordPress plugin carries a vulnerability that allows users with low to zero admin permissions to easily access the plugin’s settings.

As explained by the analysts, the Variation Swatches plugin has registered the functions ‘update_attribute_type_setting,’ ‘update_product_attr_type,’ and ‘tawcvs_save_settings’ – all connected to different AJAX operations. The three functions mentioned are all missing capability and nonce checks vital in providing cross-site requests to protect websites from forgery.

Moreover, experts highlighted that it is alarming to provide access to users with low permission to the ‘tawcvs_save_settings’ because, with the use of that access, any permitted user can update the plugin’s settings and insert malicious executable web scripts every time the site owner accesses the plugin’s settings feature.

The analysts also said that malicious web scripts could inject new admin user accounts or modify the plugin to include a backdoor that can allow threat actors to take over any infected website.

 

The Variation Swatches plugin vulnerability dubbed CVE-2021-42367 has affected all its users until November 23. It was then patched after WordPress released its version 2.1.2.

 

Ever since the platform has expanded, there has been a plague of bugs and attack incidents surrounding the WordPress landscape that compromised many of their users worldwide. For instance, GoDaddy, the largest domain registrar globally, was attacked by threat actors and breached their servers recently, impacting more than 1.2 million users.

Another incident was back in mid-November when another WordPress plugin was glitched by threat actors and displayed a fake ransomware message that demanded affected users to pay $6,000 to unlock their sites. However, the message is an empty threat, and all it is needed is for the plugin to be deleted. Security analysts feared that had the threat actors release real ransomware; it would be a catastrophe for all affected users.

About the author