Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.
Vulnerable WordPress plugins
All these WordPress plugins were available on WordPress.org plugin repository and all of them were highly dangerous.
- WooCommerce Category Banner Management (Active installations: 3,000+) – Unauthenticated Settings Change
- Add Social Share Messenger Buttons Whatsapp and Viber (Active installations: 500+) – Cross-site Request Forgery (CSRF)
- Advance Search for WooCommerce (Active installations: 200+) – Stored Cross-site scripting (XSS)
- Eu Cookie Notice (Active installations: 600+) – Cross-site request forgery (CSRF)
- Mass Pages/Posts Creator (Active installations: 1,000+) – Authenticated Stored Cross-Site scripting (XSS)
- Page Visit Counter (Active installations: 10,000+) – SQL Injection
- WooCommerce Checkout For Digital Goods (Active installations: 2,000) – Cross-site request forgery (CSRF)
- WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking (Active installations: 1,000+) – Cross-site request forgery (CSRF) and Stored Cross-site scripting (XSS)
- WooCommerce Product Attachment (Active installations: 800+) – Authenticated stored Cross-site scripting (XSS)
- Woo Quick Reports (Active installations: 300+) – Stored Cross-Site Scripting (XSS)
Why are all these plugins closed now?
ThreatPress research team notified MULTIDOTS Inc. about security issues on 2018-05-08. We received a clear response that they do understand the problem. We were waiting for information about updates of these plugins, but it took too long and there were no clear answers from the vendor about the expected update release date. After a few weeks the plugins were not patched.
We decided to report this situation to the WordPress plugin repository security team. All WordPress plugins listed above were closed on May 23, 2018 and are no longer available for download.
We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.
The worst part of this situation that forced us to send a report to WordPress security team is that all these plugins made to work only with WooCommerce. It means that all sites that are affected are made for one purpose – sales. These sites operate with personal data, credit card numbers and other sensitive data. We decided to protect all these sites and their visitors against possible cyber attacks and data leaks.
According to the WordPress.org plugin repository, there are over 19,400 active installs of these plugins and it means that there is a bunch of vulnerable e-shops out there.
The author (MULTIDOTS Inc.) failed to fix the problem within a period of 3 weeks. It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat. It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.