Customer Reviews for WooCommerce Vulnerability – Authenticated (Author+) Arbitrary File Upload – CVE-2023-6979 |WordPress Plugin Vulnerability Report

Plugin Name: Customer Reviews for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: customer-reviews-woocommerce
  • Software Status: Active
  • Software Author: ivole
  • Software Downloads: 3,786,034
  • Active Installs: 60,000
  • Last Updated: January 9, 2024
  • Patched Versions: 5.38.10
  • Affected Versions: <= 5.38.9

Vulnerability Details:

  • Name: Customer Reviews for WooCommerce <= 5.38.9
  • Title: Authenticated (Author+) Arbitrary File Upload
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2023-6979
  • CVSS Score: 9.8
  • Publicly Published: January 9, 2024
  • Researcher: Artem Guzhva (hexcat)
  • Description: The vulnerability in the Customer Reviews for WooCommerce plugin allows authenticated users with author-level access to upload arbitrary files through the ivole_import_upload_csv AJAX action. This flaw, present in versions up to 5.38.9, poses a severe risk of remote code execution on the affected site’s server.

Summary:

The Customer Reviews for WooCommerce plugin, a popular tool for managing customer feedback on WooCommerce sites, has a critical vulnerability in versions up to and including 5.38.9. This vulnerability, concerning arbitrary file uploads, allows authenticated users with at least author-level access to potentially execute remote code. The vulnerability has been patched in version 5.38.10.

Detailed Overview:

This vulnerability represents a significant security risk, as it can lead to unauthorized code execution on the server hosting the WordPress site. The lack of file type validation in the AJAX action used for uploading CSV files can be exploited to upload malicious files, compromising the website's security. Such vulnerabilities are especially critical in eCommerce contexts, where customer trust and data security are paramount.

Advice for Users:

  • Immediate Action: Update the Customer Reviews for WooCommerce plugin to the patched version 5.38.10 without delay.
  • Check for Signs of Vulnerability: Regularly monitor your site for unusual server activity or unexplained file uploads.
  • Alternate Plugins: While a patch is available, users may consider alternative plugins that offer similar functionality as a precaution.
  • Stay Updated: Always ensure your WordPress plugins are up-to-date to avoid vulnerabilities.

Conclusion:

The swift patching of the CVE-2023-6979 vulnerability by the developers of Customer Reviews for WooCommerce highlights the critical importance of regular software updates in the realm of web security. For WordPress site owners, especially those in the eCommerce sector, staying vigilant and promptly updating plugins is key to safeguarding their digital platforms and maintaining customer trust. This incident serves as a vital reminder of the ongoing need for proactive cybersecurity practices.

References:

Introduction:

In the digital landscape, the security of websites, particularly for eCommerce, is a cornerstone for business success and customer trust. The discovery of the CVE-2023-6979 vulnerability in the widely-used Customer Reviews for WooCommerce plugin is a stark reminder of the importance of keeping website software up to date. This vulnerability not only highlights the risks associated with outdated plugins but also underscores the necessity for ongoing vigilance in cybersecurity, especially for small business owners relying on WordPress.

About the Plugin:

Customer Reviews for WooCommerce, developed by ivole, is a key plugin for eCommerce sites on WordPress, facilitating customer feedback integration. With impressive stats of over 3.7 million downloads and 60,000 active installations, the plugin's influence is widespread across the WooCommerce community.

Summary:

The Customer Reviews for WooCommerce plugin contains a critical security flaw in versions up to and including 5.38.9. This flaw, which permits arbitrary file uploads, could potentially be exploited to execute remote code on the server. A patch has been issued in version 5.38.10 to address this significant vulnerability.

Detailed Overview:

The lack of file type validation in the AJAX action used for uploading CSV files creates a significant security risk, particularly for eCommerce websites. Such vulnerabilities can lead to unauthorized server access, data breaches, and compromise the website's integrity and the safety of its customers.

Advice for Users:

  • Immediate Action: Update to the patched version 5.38.10 immediately.
  • Check for Signs of Vulnerability: Monitor your site for unusual server activity or unexplained file uploads.
  • Alternate Plugins: Consider alternative plugins offering similar functionality as a precaution.
  • Stay Updated: Regularly update all WordPress plugins to protect against vulnerabilities.

Previous Vulnerabilities:

There have been 10 previous vulnerabilities since September 22, 2022, highlighting the plugin’s history of security concerns and the importance of regular updates.

Conclusion:

The quick response by the developers of Customer Reviews for WooCommerce in addressing CVE-2023-6979 demonstrates the critical importance of timely updates in maintaining web security. For small business owners managing WordPress sites, this incident serves as a crucial reminder to stay proactive in updating plugins. Employing automated update features, conducting regular security checks, or utilizing managed WordPress hosting services can be effective strategies to maintain website security with minimal time investment, ensuring the protection of their online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Customer Reviews for WooCommerce Vulnerability – Authenticated (Author+) Arbitrary File Upload – CVE-2023-6979 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment