Summary:
HUSKY, a products filter plugin for the e-commerce product plugin WooCommerce, developed by “realmag777” which enhances the functionality of the base WooCommerce product for WordPress. Around 478 million websites are built on WordPress. It empowers your website visitors to easily search and filter WooCommerce products based on: categories, attributes, tags, taxonomies, meta fields, and product prices. With its powerful and user-friendly features, HUSKY provides a seamless filtering experience to help customers find the desired products efficiently. Features include modular representation, SKU product lookup, infinite scrolling, and products shortcode. CVE-2024-43121 is an improper privilege management vulnerability in realmag777 HUSKY that allows unauthorized privilege escalation discovered by Rafie Muhammad from Patchstack. This could allow a malicious actor to escalate their low privileged account to something with higher privileges. After this they could take full control of the website if high privileges are gained. A patched version of this plugin has recently been published. All product versions prior to version 1.3.6.2 are vulnerable and users should update the software product if possible. This critical vulnerability has a score of 9.1 and has been classified as highly-dangerous and expected to become mass exploited. WooCommerce is an open-source e-commerce platform plugin therefore it is especially vulnerable to supply chain attacks that could result in the compromise of organizations’ systems which utilize WooCommerce and the accompanying HUSKY plugin.

Security Officer Comments:
Critical vulnerability CVE-2024-43121 can be leveraged in the HUSKY WooCommerce plugin, a widely used e-commerce tool for WordPress websites. This improper privilege management flaw allows attackers to escalate their permissions from low-privileged accounts to those with elevated rights, potentially granting full control over affected websites. Given the expansive reach of WordPress, powering approximately 478 million websites, the potential impact of this vulnerability has significantly widespread scope. At least since 2022, WordPress’ expansive reach has made it a highly-incentivized target for adversaries, especially APT groups. In the past, software such as WPGateway plugin (in September 2022) and WP User Frontend plugin (in January 2024) have been exploited to gain unauthorized access to affected websites and to steal sensitive data. This is based on open-source information and may not cover the complete scope of these vulnerabilities, especially CVE-2024-43121, as the advisory was published on August 7th.

The HUSKY plugin's popularity within the WooCommerce ecosystem exacerbates the risk, as supply chain attacks targeting open-source components like WooCommerce have become increasingly prevalent. Organizations utilizing WooCommerce and HUSKY are urged to prioritize patching to version 1.3.6.2 or later to mitigate the risk of unauthorized access and data breaches. If your organization is unable to patch this vulnerability, there are potential SaaS alternatives to open source WooCommerce such as Shopify and Salesforce Commerce. Although at first glance open-source software seems like a less expensive option, depending on the SaaS platform, some SaaS e-commerce solutions are actually cheaper and are less tedious to maintain than WooCommerce depending on your hosting service costs.

Suggested Corrections:
Update the HUSKY plugin to version 1.3.6.2 or later to remove the vulnerability.

Software Supply Chain Attack Suggested Correctionss
Threat actors employ different techniques to execute software supply chain attacks. Three common techniques are:

• Hijacking updates
• Undermining code signing
• Compromising open-source code

Hijacking Updates
“Most modern software receives routine updates to address bugs and security issues. Software vendors typically distribute updates from centralized servers to customers as a routine part of product maintenance. Threat actors can hijack an update by infiltrating the vendor’s network and either inserting malware into the outgoing update or altering the update to grant the threat actor control over the software’s normal functionality. For example, the NotPetya attack occurred in 2017 when Russian hackers targeting Ukraine spread malware through tax accounting software popular in Ukraine. What would later be called the NotPetya malware spread well beyond Ukraine and caused major global disruptions in crucial industries, including international shipping, financial services, and healthcare” (CISA, 2022)

Undermining Codesigning
“Codesigning is used to validate the identity of the code’s author and the integrity of the code. Attackers undermine codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. By undermining codesigning, threat actors are able to successfully hijack software updates by impersonating a trusted vendor and inserting malicious code into an update. For example, APT 41, a China-based threat actor, routinely undermines codesigning while conducting sophisticated software supply chain compromises against the United States and other countries” (CISA, 2022)

Compromising Open-Source Code
“Open-source code compromises occur when threat actors insert malicious code into publicly accessible code libraries, which unsuspecting developers—looking for free blocks of code to perform specific functions—then add into their own third-party code. For example, in 2018, researchers discovered 12 malicious Python libraries uploaded on the official Python Package Index (PyPI). The attacker used typosquatting tactics by creating libraries titled “diango,” “djago,” “dajngo,” etc., to lure developers seeking the popular “django” Python library. The malicious libraries contained the same code and functionality of those they impersonated; but they also contained additional functionality, including the ability to obtain boot persistence and open a reverse shell on remote workstations. Open-source code compromises can also affect privately owned software because developers of proprietary code routinely leverage blocks of open-source code in their products” (CISA, 2022)

“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred. Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks” (CISA, 2022)

NIST suggests eight key practices for establishing a NIST C-SCRM (Cyber Supply Chain Risk Management) approach that can be applied to software.

1. Integrate C-SCRM across the organization.
2. Establish a formal C-SCRM program.
3. Know and manage critical components and suppliers.
4. Understand the organization’s supply chain. software for which a vulnerability is disclosed
5. Closely collaborate with key suppliers.
6. Include key suppliers in resilience and improvement activities.
7. Assess and monitor throughout the supplier relationship.
8. Plan for the full lifecycle.

These practices can assist in preventing, mitigating, and responding to software vulnerabilities that may be introduced through the cyber supply chain and exploited by malicious actors.

https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

Link(s):
https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-6-1-privilege-escalation-vulnerability

https://wordpress.org/plugins/woocommerce-products-filter/#developers

https://cvefeed.io/vuln/detail/CVE-2024-43121