Wordfence Threat Intelligence team has disclosed a stored cross-site scripting (XSS) vulnerability in “Variation Swatches for WooCommerce” WordPress plugin. The XSS vulnerability is tracked as CVE-2021-42367 allows an attacker to inject malicious script on the WordPress website. Let’s see how to fix the CVE-2021-42367 vulnerability- an XSS vulnerability In the Variation Swatches WordPress plugin.
As per the plugin download count, the plugin has been downloaded more than 80,000 times. So it is necessary for all the users who have downloaded the plugin on their WordPress website.
Variation Swatches For WooCommerce Plugin:
Variation Swatches for WooCommerce is a WordPress plugin created for eCommerce product sellers to add variation to their products created with WooCommerce. This plugin helps business owners to display the same products with different colors, images, and labels, sizes, styles, and many things in a better way which is not supported by WooCommerce. Please visit this page to read more about the plugin.
Summary Of The CVE-2021-42367 Vulnerability:
This vulnerability can cause a serious problem like creating a new admin user account or creating a backdoor that would allow the attacker to completely take the site to his control.
|Associated CVE ID||CVE-2021-42367|
|Description||Stored Cross-Site Scripting in “Variation Swatches for WooCommerce” WordPress plugin|
|Associated ZDI ID||NA|
|CVSS Score||6.4 MEDIUM|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||Low|
|User Interaction (UI)||None|
Versions Affected To This CVE-2021-42367 Vulnerability- A XSS Vulnerability:
This vulnerability exists in all the versions less than or equal to 2.1.1. It is recommended to update the plugin to v2.1.2 or above where this flaw is patched.
Other WordPress Vulnerabilities In 2021:
On May 31, 2021, a critical 0-day WordPress plugins vulnerability (CVE-2021-24370) in the Fancy Product Designer plugin.
In October 2021, a WordPress plugin bug was discovered in the Hashthemes Demo Importer plugin, that allowed users with simple subscriber permissions to wipe all content.
How To Fix The CVE-2021-42367 Vulnerability- A XSS Vulnerability?
The best way to fix the XSS CVE-2021-42367 Vulnerability is to update the Variation Swatches for the WooCommerce plugin to v2.1.2 or higher. It is always considered a best practice to update the themes, plugins, and WordPress itself to keep your website safe from new vulnerabilities.
We believe, updating the plugins and software is not enough to stop the cyber-attacks. You should buy a good security solution like Wordfence for your WordPress site. Such security solutions will always try to implement new firewall rules and update the signature database with their research which could save your site from various threats.
Follow these guidelines to keep your WordPress website healthy and safe:
- Update all themes, plugins, and WordPress regularly.
- Limit failed logins.
- Take regular backups.
- Restrict source IP address for login.
- Deploy SSL certificate for the secure channel.
- Deactivate or delete the unused plugins.
- Change admin login slug.