Threat Research

WordPress WooCommerce XSS Vulnerability – Hijacking a Customer Account with a Crafted Image

By Zhouyuan Yang | March 04, 2019

Overview

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in WooCommerce. WooCommerce is an open-source eCommerce platform built on WordPress. According to BuiltWith statistics, WooCommerce is the No. 1 eCommerce platform, owning 22% of global market share in 2018.

This XSS vulnerability (CVE-2019-9168) exists in the zoom display of the Photoswipe function, where WooCommerce failed to sterilize an image’s title and caption data This vulnerability may allow an attacker to inject arbitrary code into a WooCommerce-powered website. When a victim visits the webpage with the attack code inserted, the attacker could gain control of the victim’s browser, hijack the current WooCommerce session, gather sensitive information, etc.

This XSS vulnerability affects WooCommerce versions prior to 3.5.4.

Based on the zero-day alert provided by FortiGuard Labs, the WooCommerce team has issued a software patch. From their summary, we can see that the WooCommerce fix now sterilizes the title and caption data. See Figure 1.

 

Figure 1. CVE-2019-9168 patch

Analysis

To reproduce this vulnerability, the first step is upload an image and insert JavaScript code into the image’s Caption field. In WordPress, uploading an image into a low permission account doesn’t require permission to access the WooCommerce plug-in. See Figure 2.

 

Figure 2. Uploading an image

Because only high permission accounts like admin can add arbitrary JavaScript code, we instead insert the sterilized code "<img src=1 onerror=prompt('1')>" (note: remove the start and ending double quotes) using a low permission account. See Figure 3.

 

Figure 3. Insertion of XSS code

Then, once someone with low permission privilege adds this infected image as a Products image or into a Products gallery, the XSS code is inserted into the product page. See Figure 4.

 

Figure 4. Compromised image added to Products page

Now, when a victim views this product and zooms into the product image, the XSS code will be automatically executed. See Figures 5 and 6.

 

Figure 5. Zooming in on the product image

 

Figure 6. Triggering the XSS attack

To simplify the attack process, an attacker could modify an image’s Title and Subject locally by changing them to "<img src=1 onerror=prompt('2')>" (note: remove the start and ending double quotes). See Figure 7.

 

Figure 7. Creating the PoC file locally

The attacker can then share this image to the site manager. Then, when the manager uses this image as the Product image or in the Product gallery, the XSS code will be inserted. See Figure 8.

 

Figure 8. Site manager uses the PoC file as the product image

 

Figure 9. Triggering the XSS attack

An attacker could exploit this vulnerability to hijack the current user session, to control a victim’s browser, and more. Because the targets are eCommerce websites, the attacker could then gather sensitive data like banking information, addresses, etc.

Solution

All users of vulnerable versions of WooCommerce are encouraged to upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:

WooCommerce.Photoswipe.Caption.XSS

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.