23 Dec, 2019

WP Shopify XSS Vulnerability Still Exploited

WP Shopify turned out to have a serious problem: vulnerability. Here’s what you need to know about the WP Shopify XSS vulnerability.
When you run a WordPress site, you have to keep the software updated to stay safe. It's not just the WordPress core that needs regular patches, but any plugins you use. In the summer of 2019, a popular plugin called WP Shopify turned out to have a serious vulnerability. Its creators have fixed the bug and published an updated version, but not everyone has installed the fix.

The problem is known as the WP Shopify XSS vulnerability. It lets attackers put malicious JavaScript into pages or redirect visitors to other sites. Visitors to the site will experience strange behavior and may be redirected to malicious websites.

Any sites that still have the old version of the plugin (before 2.0.5) and don't have strong website protection are seriously at risk. Our analysis of logs from websites protected by Quttera WAF shows that 30% of them were attacked by packets trying to exploit the vulnerability. Full website protection requires patching known weaknesses and maintaining strong network defenses.
Cross-site scripting
Coding bugs or unapproved third-party content, such as rogue ads, open sites to cross-site scripting vulnerabilities. JavaScript from a third-party site appears on the mage and performs unauthorized actions.

Sometimes the intruding code runs just by being on the page. In other cases, it tricks the user into activating it by clicking a link or a button. XSS can capture information from forms, alter the content of a page, try to download malware, or send the user to another site.

Browser settings and plugins guard against XSS attempts, warning the user that something looks amiss. They don't catch all cases, though, and users can choose to ignore the warning. Website owners need to do all they can to prevent those situations. If the site offers e-commerce or otherwise handles money, it's twice as important.
The WP Shopify XSS bug
WP Shopify lets a WordPress site smoothly use Shopify as a backend for e-commerce. It provides a shopping cart that uses Shopify's API and Buy button. WordPress.org reports that it's active on over 3,000 sites.

The plugin uses a REST API, meaning that requests take the form of URL paths over an HTTP interface. Paths are mapped to functions, and one of them is the update_settings() function. As you might suppose, it lets an authorized user change the plugin's settings.

The problem is that the plugin wasn't properly checking for authorization. Anyone could change the settings from a browser. They didn't even have to be logged in.

Some of the settings let the user inject snippets into pages. They could contain any kind of JavaScript.

That's a really serious hole in the security of the plugin and of any site that uses the buggy version.

Attackers use this bug to stick a small piece of JavaScript into a page. It then downloads content from the attacker's site and injects it into the page. A wide range of actions is possible, depending on what the intruder is after. Usually, the script goes into the page header, where it will run as it loads, and it aims to take the user to another site. These are some of the methods:

  • Invoking the location.replace() function to redirect the page.
  • Assign a new value to document.location or window.location in the DOM.
  • Replacing the page content with a short body and then calling location.replace(). This can make the redirection look more legitimate since the user sees a request to wait a moment.
  • Inserting a meta refresh tag to cause page redirection.
  • Using HTTP redirect codes.
Once it has been inserted, the malicious script will continue to redirect users until it is removed. As long as the vulnerability exists, the attacker can restore removed scripts or change existing ones.
WP Shopify Malware Redirection Attack Investigation
Let's have a look at real infection as detected on customer website and remediated by ThreatSign software.

The following is the XSS attack dump:
Injected JavaScript code:
Traffic redirect - 1:
Traffic redirect - 2:
Traffic redirect - 3:
Traffic redirect - 4:
Traffic redirect - 5:
Traffic redirect - final landing page:
The fix
This problem was fixed in version 2.0.5, which was released in August 2019. If your site has the WP Shopify plugin, please check its version immediately. If it's an older version, update it immediately or as soon as possible. Once it's patched, check your site for any suspicious behavior.

Many sites don't update their plugins with any regularity. If yours is one, it doesn't matter whether it's big or obscure. Criminals run automated scans, looking for any vulnerable sites. Keeping plugins current is an essential part of WordPress website protection.
The bigger picture
Doing that sounds simple. When you have many balls in the air, though, it's easy to drop one. You want to verify that updates won't break your site. Ideally, you should test them before going live. Updates sometimes have compatibility issues or change functionality in unwanted ways. If advance testing isn't possible, you at least want to update the plugins during low-traffic times, watch for problems, and be ready to roll them back if necessary. This gets complicated, especially if you maintain multiple sites.

Sometimes the bad guys discover vulnerabilities and exploit them before there is a fix. There was a period when the Shopify plugin problem was publicly known but a patch wasn't available. Some vulnerabilities require great ingenuity and patience to discover. This one was blatant and easy to exploit.

Even the best-maintained sites have windows of vulnerability. Fixing known risks is important, but it isn't a complete approach to website protection. Some threats will get through, and scanning for anomalous behavior on a site is necessary to catch and remove the problem quickly.

Keeping malicious packets from reaching the site will stop many threats from getting through, even if the latest patches aren't in place. A web application firewall (WAF) monitors incoming traffic and looks for hostile patterns. The key is to force the attacker to face multiple defenses, at least one of which will be enough to stop it from doing harm.

Quttera WAF guards your website against hostile traffic, such as the kind that exploits the WP Shopify XSS vulnerability. It uses a constantly updated set of rules to analyze incoming requests before they reach your applications. You can configure the rules and set up whitelists to fit your website protection needs. The WAF is part of Quttera's ThreatSign package, which provides comprehensive protection for websites at a reasonable cost.