Researchers at RIP Technologies warn people of a new vulnerability found in the wildly popular WooCommerce plugin. Users were first alerted about the issue a few weeks back after the release notes of the updated version.

The release note stated:

Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions.

According to a report published by RIP Technologies, the PHP security company detected and reported a file deletion vulnerability in WooCommerce. The issue isn’t considered critical as the only thing that an attacker can do is delete the index.php of the website.

The vulnerability is done by someone who can access an account with a Shop Manager user role. Shop managers have access to the database of the store and can manage orders and deal with customers. Such access can easily be obtained via XSS vulnerabilities or phishing attacks. Once attackers gain access, the “Shop Manager” can take over the admin role and execute the vulnerability.

There is also a design flaw in the way WooCommerce interacts with WordPress, making it difficult to fix the vulnerability. The issue is that, the user role is stored in the database and exists even if the plugin is disabled. This means that, even if you disable WooCommerce, the meta privilege that restricts shop managers to do anything would not be executed and the default behaviour of allowing the users with access to editing the administration would occur. This would then give shop managers access to the admin account to update the password and take over the entire website.

How to fix the issue?

The only thing you can do is to ensure that your WooCommerce plugin is upgraded to version 3.4.6, which was released on October 11. The plugin is not updated automatically, so you have to go in and do a manual update. With the release of the new update, shop managers are limited to editing users with customer role by default, and there is a whitelist of roles that shop managers can edit.

As an additional safety precaution, be sure to regularly do backups of your live website so you can easily restore your website in case anything gets deleted. Keep in mind that file deletion vulnerabilities are not uncommon and they occur even in the WordPress core itself.