Back to Top

Tag Archives: woocommerce


Vulnerabilities Discovered in Five WooCommerce WordPress Plugins

Updated on by

The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations.

Many of the vulnerabilities range in severity to as high as Critical and rated 9.8 on a scale of 1-10.

Every vulnerability was assigned a CVE identity number (Common Vulnerabilities and Exposures) given to discovered vulnerabilities.

1. Advanced Order Export For WooCommerce

The Advanced Order Export for WooCommerce plugin, installed in over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack.

A Cross-Site Request Forgery (CSRF) vulnerability arises from a flaw in a website plugin that allows an attacker to trick a website user into performing an unintended action.

Website browsers typically contain cookies that tell a website that a user is registered and logged in. An attacker can assume the privilege levels of an admin. This gives the attacker full access to a website, exposes sensitive customer information, and so on.

This specific vulnerability can lead to an export file download. The vulnerability description doesn’t describe what file can be downloaded by an attacker.

Given that the plugin’s purpose is to export WooCommerce order data, it may be reasonable to assume that order data is the kind of file an attacker can access.

The official vulnerability description:

“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”

The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin that are less than or equal to version 3.3.2.

The official changelog for the plugin notes that the vulnerability was patched in version 3.3.3.

Read more at the National Vulnerability Database (NVD): CVE-2022-40128

2.  Advanced Dynamic Pricing for WooCommerce

The second affected plugin is the Advanced Dynamic Pricing plugin for WooCommerce which is installed in over 20,000 websites.

This plugin was discovered to have two Cross-Site Request Forgery (CSRF) vulnerabilities that affect all plugin versions less than 4.1.6.

The purpose of the plugin is to make it easy for merchants to create discount and pricing rules.

The first vulnerability (CVE-2022-43488) can lead to a “rule type migration.”

That’s somewhat vague. Perhaps an assumption can be made that the vulnerability may have something to do with the ability to change the pricing rules.

The official description provided at the NVD:

“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.”

Read more at the NVD: CVE-2022-43488

The NVD assigned the second CSRF vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin a CVE number, CVE-2022-43491.

The official NVD description of the vulnerability is:

“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.”

The official plugin changelog notes:

“Changelog – 4.1.6 – 2022-10-26

Fixed some CSRF and broken access control vulnerabilities”

Read the official NVD announcement: CVE-2022-43491

3. Advanced Coupons for WooCommerce Coupons plugin

The third affected plugin, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs.

The problem discovered in this plugin is also a CSRF vulnerability and affects all versions less than 4.5.01.

The plugin changelog calls the patch a bug fix?


Bug Fix: The getting started notice dismiss AJAX request has no nonce value.”

The official NVD description is:

“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.”

Read more at the NVD: CVE-2022-43481

4. WooCommerce Dropshipping by OPMC – Critical

The fourth affected software is the WooCommerce Dropshipping by OPMC plugin which has over 3,000 installations.

Versions of this plugin less than version 4.4 contain an Unauthenticated SQL injection vulnerability rated 9.8 (on a scale of 1-10) and labeled as Critical.

In general, a SQL injection vulnerability allows an attacker to manipulate the WordPress database and assume admin-level permissions, make changes to the database, erase the database, or even download sensitive data.

The NVD describes this specific plugin vulnerability:

“The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.”

Read more at the NVD: CVE-2022-3481

Read the official plugin changelog.

5. Role Based Pricing for WooCommerce

The Role Based Pricing for WooCommerce plugin has two Cross-Site Request Forgery (CSRF) vulnerabilities. There are 2,000 installations of this plugin.

As mentioned about another plugin, a CSRF vulnerability generally involves an attacker tricking an admin or other user to click a link or perform some other action. That can result in the attacker gaining the user’s website permission levels.

This vulnerability is rated 8.8 High.

The NVD description of the first vulnerability warns:

“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP”

The following is the official NVD description of the second vulnerability:

“The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog”

The official Role Based Pricing for WooCommerce WordPress plugin changelog advises that the plugin is fully patched in version 1.6.2:

“Changelog 2022-10-01 – version 1.6.2

* Fixed the Arbitrary File Upload Vulnerability.

* Fixed the issue of ajax nonce check.”

Read the official NVD documentation:



Course of Action

It is considered a good practice to update all vulnerable plugins. It’s also a best practice to back up the site before making any plugin updates and (if possible) to stage the site and test the plugin before updating.

If you are interested in original article by Roger Montti you can find it here

WooCommerce 6.9 Released, High-Performance Order Storage Targeted for 7.1

Updated on by

WooCommerce 6.9 was released today and was quickly followed up with 6.9.1 after a bug caused some stores to produce a warning or a fatal error, depending on the site’s PHP version.

This release brings the new Cart and Checkout blocks into core as beta features. These blocks have been available in the WooCommerce Blocks plugin since version 2.6 was released in May 2020. They enable store owners to better customize the purchase flow experience with the power of blocks.

After two years of testing, the Cart and Checkout blocks are compatible with more than a dozen payment gateways and shipping options, as well as 19 popular extensions.

WooCommerce 6.9 improves filtering products by updating the URL (without reloading the page) when visitors use filters with the All Products blocks. Dropdown attribute filters now allow for users to select multiple terms when the query type is set to AND.

As the core team warned last month, WooCommerce will no longer register Customizer options when a block theme is active as of version 6.9.

These are just a few highlights from the 6.9 release, which includes 90 fixes, additions, updates, enhancements, tweaks, and more, from 39 contributors. Check out the 6.9 changelog for all the details.

The WooCommerce development team also published a progress report on the High-Performance Order Storage (HPOS) project, more commonly known as custom order tables. This long-awaited improvement promises significant performance gains for stores. It is a major change that will impact extension developers in different ways. In May, WooCommerce core developers called for early testing on custom order table migrations.

“We’ve decided to rename Custom Order Tables to High-Performance Order Storage to make it more clear and more understandable what this change is about and what it should bring everyone,” WooCommerce core team lead Peter Fabian said. “We want our users to understand the why of our work more easily. We also understand that the original name has been around for a long time and some people might still prefer it over the new one, and that is, of course, fine.”

WooCommerce has been testing HPOS extensively and has started upgrading Woo-owned extensions. The team plans to present a feature complete version in WooCommerce 7.1, which is expected in November.

“This timeline depends on the number of defects we discover during the testing phase,” Fabian said. “Also note that this means the core implementation is production ready, not necessarily that every extension or plugin a site may use is compatible yet.”

When HPOS makes its debut in WooCommerce core, it will be strictly opt-in as the rest of the extension ecosystem works to make their plugins compatible. As greater numbers of WooCommerce products adopt HPOS, core will be able to turn it on by default. Fabian said his team expects that HPOS could become the default experience for stores by August 2023.

If you are interested in original article by Sarah Gooding you can find it here

WordPress Product Launches Roundup: APPExperts, WP Wallet, Block Styles, and Stock Control for WooCommerce

Updated on by

Despite the flurry of April Fools day jokes circulating, the WordPress product market has been heating up in the past couple weeks with new entrants that we are highlighting in a roundup. These products range from newly in beta to fully launched. Some are banking on the freemium model and others are fully commercial products.

APPExperts Mobile Application Builder Plugin Now in Beta

APPExperts is a new mobile application builder plugin that is now in beta, developed by the WPExperts team. It turns WordPress and WooCommerce websites into fully functional apps for iOS and Android phones, tablets, and other mobile devices. The plugin on functions as a connector to the APPExperts platform, which is powered by Flutter.

Users can create their first app for free and the commercial version includes additional features like push notifications, ads integration, and plugin integrations. APPExperts is going up against more established competitors like AppPresser, which bills annually for the use of its platform. During its pre-beta period, APPExperts added 500 users on its connector plugin who generated more than 1,000 apps for iOS and Android.

WP Wallet Organizes Commercial Theme and Plugin Licenses Into a Single Dashboard

WP Wallet is a new product, created by the team behind MasterWP, that helps WordPress site owners keep track of their license keys for commercial themes and plugins. The idea is to prevent users from missing license renewals, losing license keys, and struggling with invoicing. The service scans each website added to the account and retrieves any commercial license subscription fees, capturing any administrative details. It can also send invoices for payment via PayPal or Stripe with no transaction fees. Everything related to commercial licenses is organized into a single dashboard.

WP Wallet is free forever for up to three websites and is supported by ads. Free users can share access with unlimited team members and connect to Stripe or PayPal. Upgrading to Pro is less than $10 per month and allows users to add unlimited sites, connect multiple payment gateways, and will soon include a Chrome Extension and API.

Block Styles Plugin Now in Beta, Brings Advanced Styles to the Block Editor

Block Styles is a new plugin now in beta that lets users further customize core blocks with unique styles. It works with many popular block collection plugins and boasts “fully responsive block-level design control.” This allows users to change style attributes based on desktop, tablet, and mobile sizes, and eventually customer device sizes, hover/action states and pseudo elements.

The Block Styles plugin has advanced layout controls with visibility settings that can be set based on user role, device size, and login status. It also adds the ability to customize the background of every Gutenberg block with colors, gradient options, and linear and radial settings. The team is working on adding multiple backgrounds and video backgrounds. The plugin has support for advanced border styles, typography controls, special effects, animations, and custom CSS for every block.

Pricing for the Block Styles plugin ranges from $69/year for one site to $499/year for unlimited sites.

Stock Control for WooCommerce Makes It Easier to Manage Inventory

Stock Control for WooCommerce is a new plugin that launched this week, created by plugin developer Edith Allison. It makes it easier to manage WooCommerce inventory and make quick adjustments. Store owners can manipulate stock, and change descriptions, images, attributes, and categories all on one page.

Product changes can be published immediately or saved for review later. The plugin also logs who made the changes and when. It uses the Heartbeat API to monitor the shop and will notify if there is an editing conflict with another site manager. It will also notify if stock quantities change while the site owner is working on the products.

Stock Control for WooCommerce starts at €29,90/year for single site licenses and goes up to €149,90/year for agencies. The roadmap for future updates includes more translations, an attribute manager, bulk actions, scheduled publication of changes, compatibility with Woo Product Bundles, and a way to show “held” stock.

If you are interested in original article by Sarah Gooding, you can read it here


WooCommerce Plans to Bring Full-Site Editing Support to Single Product Templates

Updated on by

WooCommerce is moving closer to closing the gap on its full-site editing support with the latest features announced on the Q1/Q2 roadmap. While the e-commerce platform already has support for nearly two-dozen core blocks, it’s not yet possible to use full-site editing for customizing every aspect of a store.

The concept of “Store Editing” is still in the early stages with active development happening in the WooCommerce Blocks repository. Currently, WooCommerce stores are fully functional with block themes with the help of a classic template block.

“We took a very transitional approach to this support by introducing a classic template block that works in concert with custom WooCommerce templates to make various existing PHP-based WooCommerce templates compatible with block themes,” WooCommerce engineer Darren Ethier said in the roadmap update.

More missing pieces from the Store Editing concept will be sliding into place soon with the introduction of the Mini Cart block, a cart button usually found in the header that shows a quick preview of its contents. The Mini Cart block is already available in the WooCommerce Blocks plugin and is anticipated to land in the May release of WooCommerce core. The team is also currently working on adding global styles support to its existing library of blocks.

Two new blocks are next on the roadmap – a Product Search Block and a Dynamic “My Account” link block. As major Gutenberg improvements for templates and menus are introduced in WordPress 6.0, WooCommerce developers will ensure Store Editing has compatibility.

Further ahead on the roadmap, WooCommerce developers have committed to “blockifying” the Single Product Template, transforming every aspect of the template to be powered by blocks. Ethier shared an early mockup of how that might look.

The ability to manipulate every part of a product listing, without touching any code, is something that was unimaginable before blocks. It is the culmination of everything promised by the block paradigm in the early days of the Gutenberg project.

A blockified single product template will empower store owners who might otherwise have had to hire a developer to make these kinds of changes to templates. Making customization more accessible is the reasoning behind the concept of Store Editing.

“The primary consumer of everything we build in this new Store Editing environment is the merchant,” Ethier said. “The end result is that merchants should have more ability than ever to be able to completely customize their store themselves even if they don’t know any code.

WooCommerce did not set a timeline for when the single product template will be fully powered by blocks but the plan is to update all of the plugin’s templates in the same way.

The move towards Store Editing will also have cascading effects on the developers ecosystem. Ethier anticipates it will create more opportunities for those who develop store customization products using blocks.

“Instead of the ecosystem having to reproduce various user interfaces and experiences in the solutions they build, they will be able to tap into a common set of APIs and components to create those solutions,” Ethier said. “This in turn will lead to a more consistent and powerful interface for the consumers of their extensions and themes and give more time back to the extension and theme developers to iterate on the unique logic/design of their solutions. There will also be potential for new emerging marketplaces that offer blocks, block patterns, and template part variations as improved ways for stores to be customized.”

Full article by Sarah Gooding can be found here