WooCommerce Fraud Prevention Plugin’s Functionality Can Be Disabled by Anyone Logged in to WordPress

With the security of WordPress plugins, those that extend the functionality of the ecommerce plugin WooCommerce would seem like they would be more secure than the average plugin, seeing as security should be important for software on websites handling money and customer data. But that continues to not be the case. Earlier this week the WP Tavern, which is barely disclosed to be owned by the head of the owner of WooCommerce, Matt Mullenweg, covered problems WooCommerce based websites are having with fraudulent charges through the Stripe payment service from those testing stole credit card numbers. The story mentioned one partial solution for that issue:

Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them.

We took a quick look at that plugin to see if it was properly secured and found that it isn’t. Among the issues, anyone logged in to WordPress is able to disable the plugin’s functionality by resetting the plugin’s settings. That limits the effectiveness of the plugin. If an additional security issue was present, then an attacker could take advantage of another security issue in the plugin to change the plugin’s settings as well.

The plugin previously had easy to spot vulnerabilities in it for over two years, which were only addressed after we had done a security review of another plugin using the same vulnerable third-party library.

The insecurity with AJAX accessible functions has been a common problem with WooCommerce extending plugins for years, including plenty of instances where it looks like that insecurity led to vulnerabilities that hackers were targeting.

The developer of this plugin, Dotstore, says they are focused on WooCommerce plugins:

We develop plugins that can augment easy customization of your WooCommerce website. Our experienced and highly skilled plugin developers have made the plugins as add-ons to the default options provided by WooCommerce.

It looks like they have 16 additional plugins that extend WooCommerce. It seems unlikely those others are properly secured.

Automattic Could Help Address This

WooCommerce is owned by Automattic, which is the company closely associated with WordPress. They could easily help to address this situation by doing some light checking of WooCommerce extending plugins to see if they are insecure in common areas like AJAX accessible functionality. As this situation shows, even checking a limited number of plugins could catch wider security issues, as developers often have multiple plugins.

A possible explanation for why they haven’t had an interest in ensuring plugins extending WooCommerce are secure is that Automattic makes money off of insecurity of WordPress plugins and WordPress more generally, through things like the Jetpack and WPScan.