Wordfence Threat Intelligence team has disclosed a stored cross-site scripting (XSS) vulnerability in “Variation Swatches for WooCommerce” WordPress plugin. The XSS vulnerability is tracked as CVE-2021-42367 allows an attacker to inject malicious script on the WordPress website. Let’s see how to fix the CVE-2021-42367 vulnerability- an XSS vulnerability In the Variation Swatches WordPress plugin.
As per the plugin download count, the plugin has been downloaded more than 80,000 times. So it is necessary for all the users who have downloaded the plugin on their WordPress website.
Variation Swatches for WooCommerce is a WordPress plugin created for eCommerce product sellers to add variation to their products created with WooCommerce. This plugin helps business owners to display the same products with different colors, images, and labels, sizes, styles, and many things in a better way which is not supported by WooCommerce. Please visit this page to read more about the plugin.
The report says that the Stored Cross-Site Scripting vulnerability allows an attacker to inject malicious JavaScript with low-level permissions. And execute the JavaScript when the site administrator accesses the settings area of the plugin. Insecure implementations of various AJAX actions used to manage settings in this plugin made the attackers tweak the plugin settings and inject malicious scripts with low-level permissions. Please read more details from this report.
This vulnerability can cause a serious problem like creating a new admin user account or creating a backdoor that would allow the attacker to completely take the site to his control.
Associated CVE ID | CVE-2021-42367 |
Description | Stored Cross-Site Scripting in “Variation Swatches for WooCommerce” WordPress plugin |
Associated ZDI ID | NA |
CVSS Score | 6.4 MEDIUM |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Impact Score | NA |
Exploitability Score | NA |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | Low |
User Interaction (UI) | None |
Severity | Critical |
Confidentiality (C) | Low |
Integrity (I) | Low |
availability (a) | None |
This vulnerability exists in all the versions less than or equal to 2.1.1. It is recommended to update the plugin to v2.1.2 or above where this flaw is patched.
On May 31, 2021, a critical 0-day WordPress plugins vulnerability (CVE-2021-24370) in the Fancy Product Designer plugin.
In October 2021, a WordPress plugin bug was discovered in the Hashthemes Demo Importer plugin, that allowed users with simple subscriber permissions to wipe all content.
And, in November 2021. another WordPress plugin in lets attackers display a fake ransomware encryption message demanding about $6,000 to unlock the site.
The best way to fix the XSS CVE-2021-42367 Vulnerability is to update the Variation Swatches for the WooCommerce plugin to v2.1.2 or higher. It is always considered a best practice to update the themes, plugins, and WordPress itself to keep your website safe from new vulnerabilities.We believe, updating the plugins and software is not enough to stop the cyber-attacks. You should buy a good security solution like Wordfence for your WordPress site. Such security solutions will always try to implement new firewall rules and update the signature database with their research which could save your site from various threats.
Follow these guidelines to keep your WordPress website healthy and safe:
Update all themes, plugins, and WordPress regularly.
Limit failed logins.
Take regular backups.
Restrict source IP address for login.
Deploy SSL certificate for the secure channel.
Deactivate or delete the unused plugins.
Change admin login slug.
We hope this post would help you to Fix the CVE-2021-42367 Vulnerability- A XSS Vulnerability In Variation Swatches WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.