Users Urged to Disable WordPress Plugin After Unpatched Flaw Disclosed

[silversurfer]

An unpatched vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say.
 
The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.
 
“Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin,” said Luka Sikic, with WebArx Security in a Thursday post.

Visser Labs has not responded to a request for comment from Threatpost. On Friday, the plugin has been removed from the WordPress plugin repository. “This plugin was closed on April 26, 2019 and is no longer available for download,” according to a notice on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.

SOURCE: https://threatpost.com/users-urged-to-di...ed/144159/