wordpress disables 10 dangerous plugins
the ten wordpress plug-ins provided by the woo e-commerce website have loopholes. these plug-ins are provided by the same company multidots for the woo website. because the developer has not yet released a patch and the plug-in for the woo site is used by many high-traffic websites, wordpress has disabled dangerous plug-ins. the following is information on dangerous plugins:
woocommerce category banner management (active installations: 3,000+) – unauthenticated settings change
add social share messenger buttons whatsapp and viber (active installations: 500+) – cross-site request forgery (csrf)
advance search for woocommerce (active installations: 200+) – stored cross-site ing (xss)
eu cookie notice (active installations: 600+) – cross-site request forgery (csrf)
mass pages/posts creator (active installations: 1,000+) - authenticated stored cross-site ing (xss)
page visit counter (active installations: 10,000+) – sql injection
woocommerce checkout for digital goods (active installations: 2,000) – cross-site request forgery (csrf)
woocommerce enhanced ecommerce analytics integration with conversion tracking (active installations: 1,000+) – cross-site request forgery (csrf) and stored cross-site ing (xss)
woocommerce product attachment (active installations: 800+) - authenticated stored cross-site ing (xss)
woo quick reports (active installations: 300+) – stored cross-site ing (xss)
according to threatpress, security researchers discovered a wide variety of vulnerabilities in 10 plug-ins. affected plugins are available through wordpress.org, which allows woo marketplace users to manage their online stores. according to statistics, there have been nearly 20,000 active installations of vulnerable plugins, including 10,000 page access counters, 3,000 woocommerce category banner installations, and 2,000 woocommerce checkout installations.
after researching by security experts, the plug-ins created by multidots are affected by stored cross-site ing (xss), cross-site request forgery (csrf), and sql injection vulnerabilities. these vulnerabilities can be used to control the e-commerce of installed plug-ins. website. an attacker can compromise a website, execute a remote shell, populate a keylogger, and upload cryptocurrency mining programs or other types of malware.
given that the affected sites are online stores that collect personal and financial information, attackers may be able to obtain valuable information. these vulnerabilities allow unauthenticated attackers to inject malicious java, thus providing an opportunity to hijack customer's credit card data and receive customer and administrator logins. although most dangerous scenarios require the installation of plug-in access urls or pages, there are still some vulnerabilities that can be exploited without any interaction.
multidots confirmed the problem after it was known on may 8, and then it did not act again. fortunately, wordpress learned to decide to disable most of the affected plugins. before threatpress publicly released the survey results, they had contacted multidots for comments, but the company did not respond.
the cve identifier has been assigned to four of these vulnerabilities and there are still six vulnerabilities that have not yet been identified. so far, the assigned identifiers are cve-2018-11579, cve-2018-11580, cve-2018-11633 and cve-2018-11632.
the current technical details and proof of concept (poc) code for each vulnerability have been disclosed. experts said: "it's nice to have wordpress's security response speed so fast, but we still have a big problem - it's difficult to tell all users of the threat of these plug-ins. it is strange that wordpress can display the updated information available, but it can not be provided in the same way information on closed plug-ins is provided for protection. we hope to see some changes in this area. we hope that in this case, we can notify the owners of the affected sites and protect nearly 20,000 sites."