WooCommerce Google Feed Manager Vulnerability – Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion and Arbitrary Feed Actions – CVE-2024-7258 | WordPress Plugin Vulnerability Report

Plugin Name: WooCommerce Google Feed Manager

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-product-feed-manager
  • Software Status: Active
  • Software Author: aukejomm
  • Software Downloads: 797,636
  • Active Installs: 10,000
  • Last Updated: August 23, 2024
  • Patched Versions: 2.9.0
  • Affected Versions: <= 2.8.0

Vulnerability Details

Vulnerability 1:

  • Name: WooCommerce Google Feed Manager <= 2.8.0
  • Title: Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-7258
  • CVSS Score: 8.8
  • Publicly Published: August 22, 2024
  • Researcher: Lucio Sá
  • Description: The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to and including 2.8.0. This flaw allows authenticated attackers with Contributor-level access or higher to delete arbitrary files on the server. In particular, this vulnerability can lead to severe consequences, such as remote code execution, if critical files like wp-config.php are deleted.

Vulnerability 2:

  • Name: WooCommerce Google Feed Manager <= 2.8.0
  • Title: Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE: CVE-2024-7258
  • CVSS Score: 4.3
  • Publicly Published: August 22, 2024
  • Researcher: Lucio Sá
  • Description: The WooCommerce Google Feed Manager plugin for WordPress is also vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to and including 2.8.0. This vulnerability allows authenticated attackers with Contributor-level access or higher to perform various unauthorized feed actions, such as deleting a feed, duplicating a feed, and changing the status of a feed.

Summary:

The WooCommerce Google Feed Manager plugin for WordPress has multiple vulnerabilities in versions up to and including 2.8.0 that allow authenticated attackers with Contributor-level access to perform unauthorized actions, including arbitrary file deletion and arbitrary feed actions. These vulnerabilities have been patched in version 2.9.0.

Detailed Overview:

The vulnerabilities identified by researcher Lucio Sá expose WordPress websites using the WooCommerce Google Feed Manager plugin to significant risks. The first vulnerability involves missing authorization checks on the wppfm_removeFeedFile function, allowing attackers to delete arbitrary files on the server. This can lead to catastrophic outcomes such as remote code execution if critical files like wp-config.php are deleted.

The second vulnerability also results from missing authorization checks, this time affecting several feed-related functions. Attackers can delete, duplicate, or change the status of feeds without proper permissions, potentially disrupting the operation of WooCommerce stores and compromising the integrity of product feeds.

Both vulnerabilities underscore the importance of implementing proper access controls and highlight the potential damage that can be caused by unauthorized actions.

Advice for Users:

  • Immediate Action: Users should update to version 2.9.0 of the WooCommerce Google Feed Manager plugin immediately to protect their sites from these vulnerabilities.
  • Check for Signs of Vulnerability: After updating, review your site’s file structure and feed settings for any unauthorized changes or deletions. If critical files were deleted, it may indicate that your site was compromised.
  • Alternate Plugins: While the patch addresses these specific issues, users who are particularly concerned about security might consider exploring alternative WooCommerce feed management plugins with a stronger security history.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities. Regularly updating plugins and themes is crucial for maintaining a secure WordPress site.

Conclusion:

The prompt response from the developers of the WooCommerce Google Feed Manager plugin to patch these vulnerabilities underscores the importance of timely updates. Users are strongly advised to ensure they are running version 2.9.0 or later to secure their WordPress installations and protect their websites from potential security threats.

References:

Detailed Report: 

In today’s rapidly evolving digital landscape, maintaining the security of your WordPress website is essential. For small business owners and website administrators, keeping plugins up to date is a crucial but often overlooked aspect of site maintenance. Neglecting updates can leave your site vulnerable to serious threats, compromising your data, your business, and your customers’ trust. Recently, a significant security vulnerability was discovered in the WooCommerce Google Feed Manager plugin, which is actively used by over 10,000 websites. This vulnerability, identified as CVE-2024-7258, includes two critical issues that pose substantial risks to your site’s security.

The WooCommerce Google Feed Manager plugin is widely used by WooCommerce store owners to manage and optimize product feeds for Google Shopping. While it offers robust features for feed management, a recently discovered vulnerability highlights the importance of keeping this plugin up to date.

Risks and Potential Impacts: Why This Matters

These vulnerabilities pose significant risks to any website using the affected versions of the WooCommerce Google Feed Manager plugin. The potential impacts include:

  • Unauthorized File Deletion: Attackers could delete critical files on your server, leading to catastrophic outcomes like remote code execution or the complete failure of your website.
  • Compromised Feed Integrity: Unauthorized actions on product feeds could lead to incorrect or missing product data, disrupting your store’s operations and potentially resulting in lost sales.
  • Data Loss and Downtime: If key files are deleted or if feeds are improperly managed, your website could experience significant downtime, data loss, and damage to your reputation.

How to Remediate the Vulnerability

Immediate Action: The most important step is to update your WooCommerce Google Feed Manager plugin to version 2.9.0, where these vulnerabilities have been patched. This update eliminates the risk of these specific vulnerabilities being exploited.

Check for Signs of Vulnerability: After updating, review your site’s file structure and feed settings for any unauthorized changes or deletions. If critical files were deleted, it might indicate that your site was compromised. Restoring from a recent backup may be necessary in such cases.

Consider Alternate Plugins: While the patch resolves these specific issues, you might want to explore alternative WooCommerce feed management plugins if you’re concerned about the plugin’s security history. Other plugins may offer similar functionality with a different security track record.

Stay Updated: Regularly updating all plugins and themes is essential for maintaining a secure WordPress site. Ensuring your site is up to date reduces the risk of vulnerabilities being exploited and ensures that you benefit from the latest security enhancements.

Overview of Previous Vulnerabilities

The WooCommerce Google Feed Manager plugin has had two previous vulnerabilities reported since March 16, 2024. While these vulnerabilities have been addressed, this history underscores the importance of staying vigilant with updates and security practices. Regularly checking for and applying updates is crucial to protecting your site from both known and emerging threats.

Conclusion: The Importance of Staying on Top of Security Vulnerabilities

For small business owners, managing website security can seem overwhelming, especially when time and resources are limited. However, staying on top of security vulnerabilities is critical for protecting your business, your customers, and your reputation. By keeping your plugins updated, using trusted security tools, and staying informed about potential threats, you can significantly reduce the risk of a cyberattack. Remember, proactive security management is always better than reacting to a breach after it has occurred.

If you’re concerned about your website’s security or need assistance with updates, don’t hesitate to seek professional help. Your website is a vital asset—protect it with the attention it deserves.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WooCommerce Google Feed Manager Vulnerability – Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion and Arbitrary Feed Actions – CVE-2024-7258 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment