The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in WooCommerce. WooCommerce is an open-source eCommerce platform built on WordPress. According to BuiltWith statistics, WooCommerce is the No. 1 eCommerce platform, owning 22% of global market share in 2018.
This XSS vulnerability (CVE-2019-9168) exists in the zoom display of the Photoswipe function, where WooCommerce failed to sterilize an image’s title and caption data This vulnerability may allow an attacker to inject arbitrary code into a WooCommerce-powered website. When a victim visits the webpage with the attack code inserted, the attacker could gain control of the victim’s browser, hijack the current WooCommerce session, gather sensitive information, etc.
This XSS vulnerability affects WooCommerce versions prior to 3.5.4.
Based on the zero-day alert provided by FortiGuard Labs, the WooCommerce team has issued a software patch. From their summary, we can see that the WooCommerce fix now sterilizes the title and caption data. See Figure 1.
Figure 1. CVE-2019-9168 patch
Figure 2. Uploading an image
Figure 3. Insertion of XSS code
Then, once someone with low permission privilege adds this infected image as a Products image or into a Products gallery, the XSS code is inserted into the product page. See Figure 4.
Figure 4. Compromised image added to Products page
Now, when a victim views this product and zooms into the product image, the XSS code will be automatically executed. See Figures 5 and 6.
Figure 5. Zooming in on the product image
Figure 6. Triggering the XSS attack
To simplify the attack process, an attacker could modify an image’s Title and Subject locally by changing them to "<img src=1 onerror=prompt('2')>" (note: remove the start and ending double quotes). See Figure 7.
Figure 7. Creating the PoC file locally
The attacker can then share this image to the site manager. Then, when the manager uses this image as the Product image or in the Product gallery, the XSS code will be inserted. See Figure 8.
Figure 8. Site manager uses the PoC file as the product image
Figure 9. Triggering the XSS attack
An attacker could exploit this vulnerability to hijack the current user session, to control a victim’s browser, and more. Because the targets are eCommerce websites, the attacker could then gather sensitive data like banking information, addresses, etc.
All users of vulnerable versions of WooCommerce are encouraged to upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.