XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce
On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Variation Swatches for WooCommerce”, a WordPress plugin that is installed on over 80,000 sites and acts as an extension for WooCommerce.
This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin.
All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection. For added protection, we released an additional firewall rule to protect Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.
We sent the full disclosure details on November 12, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 23, 2021.