Wordfence recently discovered that a wordpress plugin named “Variation Swatches for WooCommerce” which is actively installed over 80,000+ sites has serious XSS Vulnerability that allows the hackers to take over your site.
Also it will help cyberattackers to inject malicious scripts that will cause serious SEO problems.
About Variation Swatches Plugin
Variation Swatches is woocommerce wordpress plugin developed by Woosuite helps to display your products in nicer way. Using this plugin you can display your product in multiple variations of single product. For eg, you can display same t-shirt with different colors and different sizes.
XSS Vulnerability Information
Description: Stored Cross-Site Scripting
Credits: WordFence
Affected Plugin: Variation Swatches for WooCommerce
Plugin Slug: variation-swatches-for-woocommerce
Plugin Developer: Woosuite
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-42367
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.1.2
According to Chloe Chamberland “This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin.“
Wordfence WordPress Security Chloe Chamberland has discovered this XSS Vulnerability on November 11, 2021, then she contacted plugin developers with full details about the Vulnerability and site takeover. Later the plugin developers fixed it and sent the updated plugin for wordfence security testing. And then the update is available for all wordpress users globally. Now they can update the plugin via updates dashboard to Fully Patched Version: 2.1.2.
We Recommend to Use Free WordPress Security Plugin like Wordfence Security – Firewall & Malware Scan to Protect Your Blog form cyberattackers.
