Booster for WooCommerce Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1054 |WordPress Plugin Vulnerability Report

Plugin Name: Booster for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: woocommerce-jetpack
  • Software Status: Active
  • Software Author: pluggabl
  • Software Downloads: 3,564,084
  • Active Installs: 50,000
  • Last Updated: February 27, 2024
  • Patched Versions: 7.1.7
  • Affected Versions: <= 7.1.6

Vulnerability Details:

  • Name: Booster for WooCommerce <= 7.1.6
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1054
  • CVSS Score: 6.4
  • Publicly Published: February 12, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through the 'wcj_product_barcode' shortcode due to inadequate input sanitization and output escaping on user-supplied attributes like 'color'. Authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages, which will be executed when a user accesses an infected page.

Summary:

The Booster for WooCommerce plugin for WordPress has a vulnerability in versions up to and including 7.1.6 that allows authenticated attackers to perform Stored Cross-Site Scripting (XSS) attacks via insufficiently sanitized user inputs. This vulnerability has been addressed in version 7.1.7.

Detailed Overview:

This vulnerability was identified by researcher Ngô Thiên An from VNPT-VCI, who discovered that the 'wcj_product_barcode' shortcode could be exploited by attackers to inject malicious scripts. The risk associated with this vulnerability includes the potential for attackers to steal cookies, hijack sessions, or redirect users to malicious websites, thereby compromising the security of the website and its users. To mitigate this vulnerability, the developers have released a patched version, 7.1.7, which implements proper input sanitization and output escaping.

Advice for Users:

Immediate Action: Users are strongly encouraged to update their Booster for WooCommerce plugin to the patched version 7.1.7 as soon as possible to prevent potential exploits. Check for Signs of Vulnerability: Website administrators should review their pages for unexpected or suspicious scripts and monitor user roles and permissions to ensure only trusted users have contributor-level access or higher. Alternate Plugins: While the patched version is secure, users may consider exploring other reputable WooCommerce enhancement plugins as a precautionary measure. Stay Updated: Keeping all WordPress plugins up to date is crucial for maintaining site security and preventing vulnerabilities.

Conclusion:

The swift action taken by the developers of Booster for WooCommerce to release a patched version of the plugin highlights the critical importance of maintaining up-to-date software on your WordPress site. To ensure the security of your site and its users, it is essential to upgrade to version 7.1.7 or later. Regularly updating your plugins and themes, along with implementing best security practices, can significantly reduce the risk of security breaches.

References:

In today's digital landscape, the security of your WordPress website cannot be taken for granted. A recent discovery of a vulnerability in the widely used Booster for WooCommerce plugin serves as a critical reminder of the potential risks lurking in outdated or unpatched software. Identified as CVE-2024-1054, this security flaw poses a significant threat to website integrity and user safety, highlighting the essential need for regular updates and vigilant cybersecurity practices.

Plugin Overview:

Booster for WooCommerce is a popular WordPress plugin designed to supercharge your e-commerce site with a multitude of customizable features. With over 50,000 active installations and more than 3.5 million downloads, its impact on the WooCommerce community is substantial. Developed by pluggabl, the plugin has been a go-to solution for enhancing WooCommerce stores with extended functionalities.

Vulnerability Details:

The vulnerability in question, CVE-2024-1054, is an Authenticated Stored Cross-Site Scripting (XSS) issue discovered in versions up to and including 7.1.6 of the Booster for WooCommerce plugin. This security flaw was brought to light by researcher Ngô Thiên An from VNPT-VCI, who found that the 'wcj_product_barcode' shortcode could be exploited by attackers with contributor-level access or higher to inject malicious scripts into web pages. These scripts could then execute various harmful actions, such as stealing sensitive information, hijacking user sessions, or redirecting to malicious sites, whenever an unsuspecting user accesses the compromised page.

Risks and Potential Impacts:

The risks associated with this vulnerability are considerable, with potential impacts ranging from data breaches to complete site compromise. For businesses relying on WooCommerce for their e-commerce operations, such a vulnerability could not only disrupt business operations but also damage customer trust and brand reputation.

Remediation and Advice for Users:

In response to the discovery of this vulnerability, the developers of Booster for WooCommerce promptly released a patched version, 7.1.7, which addresses the security issue by implementing proper input sanitization and output escaping. Users of the plugin are strongly advised to update to this latest version immediately to mitigate the risk of exploitation. Additionally, website owners should regularly review their sites for unexpected scripts or content and maintain strict control over user roles and permissions to prevent unauthorized access.

Previous Vulnerabilities:

It's worth noting that this is not the first vulnerability discovered in the Booster for WooCommerce plugin. Since July 28, 2018, there have been 23 previous vulnerabilities reported, underscoring the importance of continuous monitoring and updating of all software components on your website.

Conclusion:

The swift response by the developers of Booster for WooCommerce to patch the CVE-2024-1054 vulnerability underscores the critical importance of staying abreast of security updates. For small business owners who may not have the time or resources to constantly monitor their WordPress websites, this incident serves as a stark reminder of the potential consequences of neglecting website security. Implementing a routine schedule for checking and updating all plugins, themes, and core WordPress files is essential for maintaining a secure online presence. Furthermore, considering professional security services or tools that can automate some of these processes may be a worthwhile investment to ensure your website remains protected against emerging threats. In the realm of cybersecurity, proactive measures are your best defense against the ever-evolving landscape of online vulnerabilities.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Booster for WooCommerce Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1054 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment