Vulnerabilities in Multidots WordPress plugins for WooCommerce

Ten WordPress Plugins By Multidots For WooCommerce Identified As Vulnerable And Dangerous

Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.

Vulnerable WordPress plugins

All these WordPress plugins were available on plugin repository and all of them were highly dangerous.

  • WooCommerce Category Banner Management (Active installations: 3,000+) – Unauthenticated Settings Change
  • Add Social Share Messenger Buttons Whatsapp and Viber (Active installations: 500+) – Cross-site Request Forgery (CSRF)
  • Advance Search for WooCommerce (Active installations: 200+) – Stored Cross-site scripting (XSS)
  • Eu Cookie Notice (Active installations: 600+) – Cross-site request forgery (CSRF)
  • Mass Pages/Posts Creator (Active installations: 1,000+) – Authenticated Stored Cross-Site scripting (XSS)
  • Page Visit Counter (Active installations: 10,000+) – SQL Injection
  • WooCommerce Checkout For Digital Goods (Active installations: 2,000) – Cross-site request forgery (CSRF)
  • WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking (Active installations: 1,000+) – Cross-site request forgery (CSRF) and Stored Cross-site scripting (XSS)
  • WooCommerce Product Attachment (Active installations: 800+) – Authenticated stored Cross-site scripting (XSS)
  • Woo Quick Reports (Active installations: 300+) – Stored Cross-Site Scripting (XSS)

Why are all these plugins closed now?

ThreatPress research team notified MULTIDOTS Inc. about security issues on 2018-05-08. We received a clear response that they do understand the problem. We were waiting for information about updates of these plugins, but it took too long and there were no clear answers from the vendor about the expected update release date. After a few weeks the plugins were not patched.

We decided to report this situation to the WordPress plugin repository security team. All WordPress plugins listed above were closed on May 23, 2018 and are no longer available for download.

Closed WordPress plugins by Multidots

Plugin vulnerabilities

We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.

The worst part of this situation that forced us to send a report to WordPress security team is that all these plugins made to work only with WooCommerce. It means that all sites that are affected are made for one purpose – sales. These sites operate with personal data, credit card numbers and other sensitive data. We decided to protect all these sites and their visitors against possible cyber attacks and data leaks.

According to the plugin repository, there are over 19,400 active installs of these plugins and it means that there is a bunch of vulnerable e-shops out there.

The author (MULTIDOTS Inc.) failed to fix the problem within a period of 3 weeks. It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat. It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.

Rasa A.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *