WooCommerce has issued an advisory about an XSS vulnerability, while Wordfence simultaneously flagged a critical flaw in the Dokan Pro WooCommerce plugin. This vulnerability, identified as a SQL Injection issue, enables unauthenticated attackers to extract sensitive information from a website’s database.
The Dokan Pro plugin, which converts WooCommerce websites into multi-vendor marketplaces akin to Amazon and Etsy, has over 50,000 installations. Versions up to and including 3.10.3 are vulnerable, according to Wordfence, with version 3.11.0 being the fully patched and safest release. Despite this, only 30.6% of installations are using the most updated version, leaving 69.4% of all Dokan Pro plugins exposed.
The changelog, which informs users about updates, does not indicate that the patch for this critical vulnerability was included in version 3.10.4, released on April 25, 2024. This omission might have been intentional to avoid alerting hackers to the severity of the issue.
Vulnerabilities In WooCommerce And Dokan Pro Plugins via @sejournal, @martinibuster
Vulnerability alert for WooCommerce plus a critical vulnerability rated 10/10 patched in Dokan Pro WooCommerce plugin The post Vulnerabilities In WooCommerce And Dokan Phttps://t.co/wz37bViwQM
— Ivica Delic (@Free_LanceTools) June 12, 2024
The Common Vulnerability Scoring System (CVSS) assigns a severity score based on exploitability and impact. The Dokan Pro plugin received a CVSS score of 10, the highest level of severity, prompting immediate action from users.
The Dokan Pro vulnerability is an Unauthenticated SQL Injection, meaning attackers do not need user credentials to exploit it. This type of vulnerability allows for manipulation of the database, the heart of every WordPress website. According to Wordfence, this flaw makes it possible for attackers to append additional SQL queries, extracting sensitive information.
Users of the Dokan Pro plugin are strongly advised to update their sites as soon as possible. While testing updates before deploying them live is always prudent, the severity of this vulnerability necessitates expedited updates.
WooCommerce has also reported a Cross-Site Scripting (XSS) vulnerability affecting versions 8.8.0 and higher, particularly for users with the Order Attribute feature enabled. Rated 5.4, this medium-level threat requires immediate updating to the latest version, WooCommerce 8.9.3. This XSS vulnerability could allow attackers to manipulate links to include malicious content, potentially impacting anyone who clicks on the link.
Adam J. Humphreys, a web developer and search marketing expert from Making 8, Inc., suggests that web hosts should take a more proactive approach in patching critical vulnerabilities, even if it risks site functionality due to conflicts with other plugins or themes. He emphasizes the need for more frequent updates and management to ensure security. Adam explains that many hosts delay updates until a WordPress core update, leaving sites vulnerable. He advocates for ongoing management to mitigate the risks associated with using WordPress, which powers half of all websites.
These findings underscore the critical importance of staying vigilant and proactive in updating and securing WordPress plugins to protect against potential exploits.
Protect Your Store From Vulnerabilities With SafeUpdates
SafeUpdates automatically handles core updates, plugins, and themes, shielding you from vulnerabilities like those in WooCommerce and Dokan Pro.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
