Up to 4 million online merchants who use the popular WooCommerce WordPress plugin are vulnerable to a file deletion vulnerability that could allow a rogue “shop manager” to escalate privileges and eventually execute remote code on impacted websites.

Researchers at RIPS Technologies trace the bug to an un-patched design flaw in the privilege system of WordPress which can lead to an attack. While the flaw impacts many plugins on WordPress, one of the bigger impacted plugins is WooCommerce, an open source e-commerce plugin designed for small to large-sized online merchants using WordPress.

WooCommerce establishes “roles” for users ranging from customer, shop manager to admin. The shop manager role allows a user to manage all settings within WooCommerce platform, such as creating and editing products.

A bad actor in the “shop manager” role could open the vulnerable log manager in WordPress and inject a payload to delete the WooCommerce plugin. By deleting this, it disables runtime restrictions on the plugin and the attacker can then edit and takeover the admin account.

An admin account takeover by shop managers occurs because WordPress assigns filters to different roles – in this case WooCommerce roles. Roles are independent of one another and exist even if a plugin is inactive. The roles are stored in the database as a core setting of WordPress – however, it means that they only get executed when the plugin is active.

That would allow shop managers to update the password of admin accounts and take over the entire site.

A potential attacker could access the shop manager role via XSS vulnerabilities or phishing attacks, and then exploit the flaw to take over any administrator account and execute code on the server.