The Variation Swatches plugin security flaw lets attackers with low-level permissions tweak important settings on e-commerce sites to inject malicious scripts.
The plugin “Variation Swatches for WooCommerce,” installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting (XSS) security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites.
Variation Swatches is designed to allow retailers using the WooCommerce platform for WordPress sites to show different versions of the same product, like a sweater in several colors. Unfortunately, vulnerable versions can also give users without administrative permissions — like customers or subscribers — access to the plugin’s settings, according to researchers from Wordfence.
“More specifically, the plugin registered the ‘tawcvs_save_settings,’ ‘update_attribute_type_setting’ and ‘update_product_attr_type’ functions, which were all hooked to various AJAX actions,” Wordfence’s Chloe Chamberland explained, in a Wednesday posting. “These three functions were all missing capability checks as well as nonce checks, which provide cross-site request forgery protection.”
Giving low-permissioned users access to the “tawcvs_save_settings” function is particularly concerning, she said, because that access can be used to update the plugin’s settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the