Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

WordFence - 

On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the plugin.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on July 30, 2021. Sites still using the free version of Wordfence will receive the same protection on August 29, 2021.

We initially reached out to the plugin vendor on July 30, 2021. After receiving confirmation of an appropriate communication channel a few days later on August 2, 2021, we provided the full disclosure details. The vendor quickly acknowledged the report and a patch was released on August 11, 2021 in version 5.4.4.

We strongly recommend updating immediately to the latest patched version of Booster for WooCommerce, which is version 5.4.4 at the time of publication.

Description: Authentication Bypass
Affected Plugin: Booster for WooCommerce
Plugin Slug: woocommerce-jetpack
Affected Versions: <= 5.4.3
CVE ID: CVE-2021-34646
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.4.4

Read More: https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/