WordFence threat intelligence team is being kept busy these days. After detecting a vulnerability on the SEOPress plugin, the team at WordFence has found that the Booster plugin for WooCommerce is affected with a CVE 9.8 vulnerability. The site using the plugin can be taken over by a hacker, using the insecure email validation module on the plugin.
The Booster plugin sends out an email to validate the users who have registered on the site. The response to the validation email, however, is not checked by the server to ensure that it is coming from an authenticated user. A hacker could use a different validation email or send a forged response to the server. He can subsequently login to the website, and assume ownership of the site.
“As such, an attacker could exploit this vulnerability to gain administrative access on sites running a vulnerable version of the plugin and effectively take-over the site,” explains Chris Chamberland of WordFence.
The worrying part of this vulnerability is that the Booster plugin is in use on over 80,000 WordPress websites. An update patch to resolve the email authentication link was released by the developers on 11th August, 2021. This, specifically, addresses the security gaps raised by WordFence. Last night, the developers of the plugin have released a new security update patch, that takes the plugin to the version 5.4.5.
We strongly suggest using the latest version of Booster for WooCommerce to protect your site against unwarranted hack attempts.
Helen is a geeky nerd who seeks to find and fix tech gaps in the latest gadgets. She is always on the lookout for resolving technical queries of users, and is an avid writer on technical subjects.