WooCommerce 2.3.11 Patches Object Injection Vulnerability

WooCommerce 2.3.11 patches an object injection vulnerability discovered by Sucuri. According to the security research company, the vulnerability is only present when the PayPal Identity Token option is set in WooCommerce.

Researchers used a combination of WordPress and WooCommerce components with a known PHP bug and were able to download critical files, including wp-config.php which has sensitive information. Versions 2.0.20 – 2.3.10 are considered vulnerable.

In addition to the patch, the release also has a number of bug fixes. If you haven’t already, update as soon as possible.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

2 Comments


  1. IMHO, the fact we include code with other products and redistribute it is the root cause of the problem. This causes not only security problems but also conflicts between plugins (and the theme) and bugs.

    WordPress should get a dependency system, which allows code to dynamically load other code. For instance, if you create a theme that needs a JS library, that library should not be bundled with the theme. It should be loaded once and all plugins and the theme should use it.

    The actual situation in the WordPress themes and plugins marketplace is way more complex than described in this post. There are many cases where a plugin includes a library and that entire plugin is included in a theme. Each of these cases has a valid explanation.

    It’s pretty obvious that updates to the library will take forever to reach all sites that use the theme that has the plugin that embeds the library. Right?

    We used to do the same for our Toolset plugins. We encouraged theme authors to include an ‘Embedded Version’ of different Toolset plugins with their themes. We quickly discovered how problematic this is and we replaced it with ‘on demand’ installation, directly from our system. This was huge development and I doubt that every plugin developer can afford it. Would have been far better to use a dependency system in WordPress, if such existed.

    All of this would have been avoided if WordPress had a dependency system, which allows to load resources once and update them immediately.

    Report

Comments are closed.