WordPress, WooCommerce flaws combine to allow website hijacking

This device is unable to play the requested video. A flaw in how WordPress handles privilege assignments can be exploited to permit attackers to hijack WooCommerce websites.
The issue in the content management system (CMS) was discovered by Simon Scannell, a security researcher from RIPS Technologies, who said in a blog post that the design flaw specifically impacts WooCommerce, a popular WordPress plugin which has been downloaded over four million times.
"The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account," the security researcher says.
The plugin has been developed by Automattic and is a free e-commerce system for WordPress-based websites.
A file deletion bug was found in the software, and on its own, would generally not be considered critical as the best an attacker could do would be to delete index.php pages and cause a denial of service. However, when coupled with the WordPress design flaw, the bug’s severity increases.
See also: WordPress urges users to update now to fix critical security holes
The unpatched WordPress issue stems from how the CMS assigns capabilities to different roles.
When the
Source: https://managewp.org/articles/18076/wordpress-woocommerce-flaws-combine-to-allow-website-hijacking

source https://williechiu40.wordpress.com/2018/11/08/wordpress-woocommerce-flaws-combine-to-allow-website-hijacking/