Skip to main content

Wordfence Threat Intelligence team has disclosed a stored cross-site scripting (XSS) vulnerability in “Variation Swatches for WooCommerce” WordPress plugin. The XSS vulnerability is tracked as CVE-2021-42367 allows an attacker to inject malicious script on the WordPress website. Let’s see how to fix the CVE-2021-42367 vulnerability- an XSS vulnerability In the Variation Swatches WordPress plugin.

As per the plugin download count, the plugin has been downloaded more than 80,000 times. So it is necessary for all the users who have downloaded the plugin on their WordPress website.

Variation Swatches For WooCommerce Plugin:

Variation Swatches for WooCommerce is a WordPress plugin created for eCommerce product sellers to add variation to their products created with WooCommerce. This plugin helps business owners to display the same products with different colors, images, and labels, sizes, styles, and many things in a better way which is not supported by WooCommerce. Please visit this page to read more about the plugin.

Summary Of The CVE-2021-42367 Vulnerability:

The report says that the Stored Cross-Site Scripting vulnerability allows an attacker to inject malicious JavaScript with low-level permissions. And execute the JavaScript when the site administrator accesses the settings area of the plugin. Insecure implementations of various AJAX actions used to manage settings in this plugin made the attackers tweak the plugin settings and inject malicious scripts with low-level permissions. Please read more details from this report.

This vulnerability can cause a serious problem like creating a new admin user account or creating a backdoor that would allow the attacker to completely take the site to his control.

Associated CVE IDCVE-2021-42367
DescriptionStored Cross-Site Scripting in “Variation Swatches for WooCommerce” WordPress plugin
Associated ZDI IDNA
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
Confidentiality (C)Low
Integrity (I)Low
availability (a)None

Versions Affected To This CVE-2021-42367 Vulnerability- A XSS Vulnerability:

This vulnerability exists in all the versions less than or equal to 2.1.1. It is recommended to update the plugin to v2.1.2 or above where this flaw is patched.

Other WordPress Vulnerabilities In 2021:

On May 31, 2021, a critical 0-day WordPress plugins vulnerability (CVE-2021-24370) in the Fancy Product Designer plugin.

In October 2021, a WordPress plugin bug was discovered in the Hashthemes Demo Importer plugin, that allowed users with simple subscriber permissions to wipe all content.

And, in November 2021. another WordPress plugin in lets attackers display a fake ransomware encryption message demanding about $6,000 to unlock the site.

How To Fix The CVE-2021-42367 Vulnerability- A XSS Vulnerability?

The best way to fix the XSS CVE-2021-42367 Vulnerability is to update the Variation Swatches for the WooCommerce plugin to v2.1.2 or higher. It is always considered a best practice to update the themes, plugins, and WordPress itself to keep your website safe from new vulnerabilities.
We believe, updating the plugins and software is not enough to stop the cyber-attacks. You should buy a good security solution like Wordfence for your WordPress site. Such security solutions will always try to implement new firewall rules and update the signature database with their research which could save your site from various threats.

Follow these guidelines to keep your WordPress website healthy and safe:

  1. Update all themes, plugins, and WordPress regularly.
  2. Limit failed logins.
  3. Take regular backups.
  4. Restrict source IP address for login.
  5. Deploy SSL certificate for the secure channel.
  6. Deactivate or delete the unused plugins.
  7. Change admin login slug.

Join the discussion One Comment

Leave a Reply