Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Discount Rules for WooCommerce WordPress plugin gets patch once again

It has happened again, users of the Discount Rules for WooCommerce WordPress plugin have to install a third patch to fix 2 high-severity XSS flaws. Developers of the Discount Rules for WooCommerce WordPress plugin have revealed for the third time a security patch to address two high-severity cross-site scripting (XSS) flaws that could be exploited […]

ShapedPlugin plugin

It has happened again, users of the Discount Rules for WooCommerce WordPress plugin have to install a third patch to fix 2 high-severity XSS flaws.

Developers of the Discount Rules for WooCommerce WordPress plugin have revealed for the third time a security patch to address two high-severity cross-site scripting (XSS) flaws that could be exploited by an attacker to hijack a targeted site.

Administrators of e-stores using the WordPress plugin Discount Rules for WooCommerce have to apply the patch as soon as possible. The development team behind the plugin attempted to address the same issues for two times, a first patch was released on August 22 and a second one on September 2, but both failed to fix the vulnerabilities.

The third round of security fixes was released on September 9, and now researchers from Wordfence publicly disclosed technical details of the flaws.

“On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. We released a firewall rule to protect against these vulnerabilities the same day.” reads the analysis published by Wordfence. “During our investigation, we also discovered a separate set of vulnerabilities in the plugin that were not yet patched, and released a firewall rule to protect against these separate vulnerabilities the next day, on August 21, 2020.”

Both vulnerabilities are related to the plugin developer’s implementation of Asynchronous JavaScript and XML (AJAX) code, they are classified as an authorization bypass leading to stored cross-site scripting bugs.

The vulnerabilities that were initially addressed in the plugin were AJAX actions present in the “v2” codebase of the plugin that allowed any site visitor to add, modify, and delete these rules, allowing them to access any existing coupons.

On August 20, Wordfence experts reported the issues in the V2 of of Discount Rules for WooCommerce to Flycart, the development team behind the plugin.

“The vulnerabilities that were originally patched in the plugin were AJAX actions present in the “v2” codebase of the plugin that allowed any site visitor to add, modify, and delete these rules and view any existing coupons. Unfortunately, the plugin maintained a separate “v1” codebase containing an earlier version of this functionality.” continues the analysis. “Anyone visiting the site could switch between the v1 and v2 codebase by visiting any page on the site and adding a awdr_switch_plugin_to query string parameter set to v1 or v2.”

The second patch released in early September addressed the flaws but left the version switching functionality vulnerable to cross-site request forgery attacks. On September 9, Fylcart released a patch that addressed both Discount Rules for WooCommerce issues.

Experts strongly recommend updating to the latest version of this plugin, version 2.2.1, as soon as possible.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Discount Rules for WooCommerce)

[adrotate banner=”5″]

[adrotate banner=”13″]