Tuesday 11th December 2018

WordPress deletes 10 “highly dangerous” plugins installed 19,400 times from its repository

The plugins were developed for use with the e-commerce platform WooCommerce and create the potential to alter the content the user views on the page and hijack users’ accounts.
Jason Smith
by on 6th June 2018

WordPress has removed 10 insecure plugins developed for the WooCommerce e-commerce platform from its plugin repository, according to a report by WordPress security firm ThreatPress.

The plugins had been uploaded to nearly 20,000 WordPress installations before they were deleted from the repository on 23rd May.

Even though the plugins are no longer available to download they are likely still running on thousands of WordPress installations.

In a post on its website, ThreatPress stated, “WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat.”

The 10 plugins affected were developed by MULTIDOT Inc., which was notified of the security issues by ThreatPress but failed to take the necessary action to update the source code.

ThreatPress gave MULTIDOT Inc. three weeks to update the plugins before notifying WordPress of the security issues.

Some of the plugins affected include WooCommerce Category Banner Management (3,000+ active installations), WooCommerce checkout for digital goods (2,000+ active installations) and Page Visit Counter (10,000+ active installations).

ThreatPress has described the plugins as “highly dangerous” and claims the vulnerabilities include stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection. The vulnerabilities could be exploited to upload keyloggers, crypto miners and other malicious software.

XSS attacks can occur on websites that fail to validate user input from comment fields, web forums, forms, etc.

They involve a hacker relaying malicious code to an unsuspecting user through the website being requested.  The script can then access a user’s cookies or other sensitive information stored on the client-side.

They can also alter the content the user views on the page and hijack users’ accounts.

This threat is particularly serious owing to the plugins being developed exclusively for use in tandem with WooCommerce, which affords WordPress webmasters the opportunity to process credit card transactions.

According to the WordPress plugin repository, WooCommerce powers 30 percent of all online e-commerce stores. It was acquired by Automattic in 2015 for an estimated $30 million.