ThreatPress specialists discovered that ten e-commerce plugins produced by Multidots contain vulnerabilities and pose a danger to users. Previously, all plugins were available for download through the official WordPress.org repository and were intended for users of the WooCommerce platform.
In total, the vulnerable solutions had about 20,000 active installations (including 10,000 installations for the Page Visit Counter plugin, 3,000 installations for the WooCommerce Category Banner Management, and 1,000 installations for the WooCommerce Checkout for Digital Goods).
ThreatPress analysts write that Multidots plugins were vulnerable to various XSS, CSRF and SQL injections. Four bugs have already received CVE IDs (CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632), while the rest are still waiting in line.
Exploiting these problems, attackers could take control of a site that uses insecure plugins. According to the researchers, the attackers were able to deface a vulnerable site, remotely execute shells, inject a keylogger, a hidden miner, or any other malware onto the site. Given that vulnerable sites are online stores, attackers had a chance to get valuable financial and personal information about visitors to such resources.
To exploit the vulnerabilities, the victim had to be forced to go to a specially prepared URL or visit a specific page. However, some problems could be used without user interaction. Detailed information about the vulnerabilities and proof-of-concept exploits for each bug can be found on the ThreatPress blog.
Experts notified the developers of Multidots about what was happening back in early May 2018. They acknowledged the problem, but the fixes were never released. After that, the researchers were forced to seek help from WordPress experts, who promptly disabled most of the vulnerable plugins, preventing them from loading from the repository.
ThreatPress experts sadly note that these actions , unfortunately, will not help to secure all those who are already using vulnerable plugins. The thing is that WordPress displays information about available updates, but does not warn that some plugins have been found dangerous and their distribution has been suspended.