WordPress deactivates ten flaw-riddled plugins that expose e-commerce sites to attacks

Researchers at WordPress security firm ThreatPress have discovered multiple flaws in ten WordPress plugins made by Multidots for e-commerce websites powered by the WooCommerce platform.

The vulnerable plugins are available through WordPress.org and have been installed around 20,000 times, including 10,000 installations of Page Visit Counter, 3,000 installation of WooCommerce Category Banner Management and 2,000 installations of WooCommerce Checkout for Digital Goods.

According to experts, the plugins can be exploited by hackers through stored cross-site scripting (XSS), cross-site request forgery and SQL injection vulnerabilities to obtain complete control of the compromised e-commerce sites.

“The vulnerabilities allow an unauthenticated attacker to inject malicious JavaScript, and thus provide the opportunity to hijack clients’ credit cards data and to receive clients’ and administrator’s logins,” ThreatPress' Rasa Adams told SecurityWeek.

Additionally, these vulnerabilities could be used by attackers to deface websites, execute remote shells, install keyloggers and upload cryptocurrency miners or other types of malware, researchers said. In many cases, the exploitation requires the victim to click on a specially-crafted URL or visit a certain page. In other cases, the flaws can be exploited without any user interaction.

Multidot was notified of the issue on May 8 to which the company had confirmed later. However, the developers failed to take any appropriate action leading ThreatPress to notify WordPress. As a result, WordPress decided to disable most of the affected plugins.

CVE identifiers have been assigned to four of the vulnerabilities - CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632. According to ThreatPress, more identifiers are expected to be assigned shortly. ThreatPress has already published technical details and proof-of concept (POC) code for each of the vulnerabilities.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams noted in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”