Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection. For added protection, we released an additional firewall rule to protect Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.
We sent the full disclosure details on November 12, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 23, 2021.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Variation Swatches for WooCommerce”, which is version 2.1.2 at the time of this publication.
Stored Cross-Site Scripting
Variation Swatches for WooCommerce
CVE ID: CVE-2021-42367
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version:
Variation Swatches for WooCommerce is a WordPress plugin designed to add variation swatches to products created with WooCommerce. This allows shop owners to easily sell and display multiple variations of a single product. The plugin registered various AJAX actions used to manage settings. Unfortunately, these were insecurely implemented making it possible for attackers with low-level permissions to arbitrarily update the plugin’s settings and inject malicious web scripts.
More specifically, the plugin registered the
update_product_attr_type functions, which were all hooked to various AJAX actions. These three functions were all missing capability checks as well as nonce checks, which provide Cross-Site Request Forgery protection.
This meant that any authenticated user, including those with minimal permissions such as customers and subscribers, could execute the AJAX actions associated with these functions. These AJAX actions were used to control the various settings of the plugins, and the
tawcvs_save_settings function in particular could be used to update the plugin’s settings to add malicious web scripts, which makes the issue much more severe.
As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site.
November 11, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “Variation Swatches for WooCommerce” plugin. We validate that the Wordfence Firewall provides protection and deploy an additional firewall rule for enhanced protection. We initiate contact with the developer.
November 12, 2021 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.
November 20 & 21, 2021 – The developer provides us with a copy of the updated plugin to test. We validate that the vulnerability has been patched.
November 23, 2021 – A fully patched version of the plugin is released as version 2.1.2.
December 11, 2021 – The firewall rule becomes available to free Wordfence users.
In today’s post, we detailed a flaw in the “Variation Swatches for WooCommerce” plugin that made it possible for attackers to inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin. This flaw has been fully patched in version 2.1.2.
We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.1.2 at the time of this publication.
All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against XSS exploits targeting this vulnerability by the Wordfence firewall’s built-in XSS protection. In addition, we released a firewall rule for added protection against unauthorized settings changes to Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.
If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.