Researchers at ThreatPress firm discovered security vulnerabilities in ten WordPress plugins developed by Multidots, a company for e-commerce websites.
The vulnerable plugins are available on theWordPress.org and implement a set of features for WooCommerce installations that allow admins to manage their online shops, nearly 20,000 WordPress installs currently use them.
“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog post published by ThreatPress.
“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”
Multidots plugins are affected by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited by an attacker to take complete control of e-commerce installs.
The flaws were tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632, they could allow attackers to power a broad range of attacks, such as installing cryptocurrency miners or install exploit kitsto deliver malware.
Experts warn that some vulnerabilities could be exploited without any user interaction.
The researchers at ThreatPress reported the flaw to Multidots on May 8, the company acknowledged the flaws but at the time it still hasn’t solved the flaws.
ThreatPress published technical details for the vulnerabilities and for each of them a proof-of-concept (PoC) code.
“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”