WooCommerce vulnerability affected a large number of websites

RIPS security researcher Simon Scannell noted that WooCommerce includes a file deletion vulnerability that allows the store manager to delete any files on the server. At most, this type of vulnerability is to remove the index.php file on the site and cause the service to block, but if the WordPress permission handling vulnerability is encountered, the hacker can control the entire site.

WooCommerce provides three role permissions, namely customers, store managers, and administrators. The store manager is primarily responsible for managing customers, products, and orders. After WooCommerce sets the role of the store manager, WordPress provides the functionality of edit_users, and this role is stored in the WordPress repository, but the default value of edit_users can edit all user data, including administrators.

To prevent store managers from changing administrator data, WooCommerce adds metadata to limit the ability of edit_users whenever edit_users is called. It only allows modification of customer or product data, not editing of administrator data.

However, a hacker or someone with store manager privileges can use WooCommerce’s file deletion vulnerability to remove WooCommerce directly; when WooCommerce is closed, WordPress does not remove the store manager’s permission, and WooCommerce’s restrictions on the permission will also be invalid. The store manager can modify the administrator data, gain administrative access to the system, take over the entire site directly, and execute any program.

WooCommerce version 3.4.6 published to fix this vulnerability, please update as soon as possible.