WordPress WooCommerce XSS Vulnerability

WordPress WooCommerce XSS Vulnerability – Hijacking a Customer Account with a Crafted Image

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in WooCommerce. WooCommerce is an open-source eCommerce platform built on WordPress. According to BuiltWith statistics, WooCommerce is the No. 1 eCommerce platform, owning 22% of global market share in 2018.

This XSS vulnerability (CVE-2019-9168) exists in the zoom display of the Photoswipe function, where WooCommerce failed to sterilize an image’s title and caption data This vulnerability may allow an attacker to inject arbitrary code into a WooCommerce-powered website. When a victim visits the webpage with the attack code inserted, the attacker could gain control of the victim’s browser, hijack the current WooCommerce session, gather sensitive information, etc.

This XSS vulnerability affects WooCommerce versions prior to 3.5.4.

Based on the zero-day alert provided by FortiGuard Labs, the WooCommerce team has issued a software patch. From their summary, we can see that the WooCommerce fix now sterilizes the title and caption data. See Figure 1.

woocommerce-blog

Figure 1. CVE-2019-9168 patch

Analysis

To reproduce this vulnerability, the first step is upload an image and insert JavaScript code into the image’s Caption field. In WordPress, uploading an image into a low permission account doesn’t require permission to access the WooCommerce plug-in. See Figure 2.

woocommerce-blog

Figure 2. Uploading an image

Because only high permission accounts like admin can add arbitrary JavaScript code, we instead insert the sterilized code “<img src=1 onerror=prompt(‘1’)>” (note: remove the start and ending double quotes) using a low permission account. See Figure 3.

woocommerce-blog

Figure 3. Insertion of XSS code

Then, once someone with low permission privilege adds this infected image as a Products image or into a Products gallery, the XSS code is inserted into the product page. See Figure 4.

woocommerce-blog

Figure 4. Compromised image added to Products page



[blur]

Now, when a victim views this product and zooms into the product image, the XSS code will be automatically executed. See Figures 5 and 6.

woocommerce-blog

Figure 5. Zooming in on the product image

woocommerce-blog

Figure 6. Triggering the XSS attack

To simplify the attack process, an attacker could modify an image’s Title and Subject locally by changing them to “<img src=1 onerror=prompt(‘2’)>” (note: remove the start and ending double quotes). See Figure 7.

woocommerce-blog

Figure 7. Creating the PoC file locally

The attacker can then share this image to the site manager. Then, when the manager uses this image as the Product image or in the Product gallery, the XSS code will be inserted. See Figure 8.

woocommerce-blog

Figure 8. Site manager uses the PoC file as the product image

woocommerce-blog

Figure 9. Triggering the XSS attack

An attacker could exploit this vulnerability to hijack the current user session, to control a victim’s browser, and more. Because the targets are eCommerce websites, the attacker could then gather sensitive data like banking information, addresses, etc.

Solution

All users of vulnerable versions of WooCommerce are encouraged to upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:

WooCommerce.Photoswipe.Caption.XSS

[/blur]

Similar Posts