WordPress Plugins Leave Black Friday Shoppers Vulnerable

WordPress 5.0 Security Update

Researchers found a third of the top WordPress e-commerce plugins contain severe vulnerabilities tied to XSS cross-site scripting, SQL injection and file manipulation flaws.

Researchers are calling into question the safety of some of the top WordPress e-commerce plugins used on over 100,000 commercial websites prepping for Black Friday and Cyber Monday online sales.

In reviewing the top 12 WordPress e-commerce plugins, application security testing firm Checkmarx found four with severe vulnerabilities tied to reflected XSS (cross-site scripting), SQL injection and file manipulation flaws.

“If these vulnerabilities are exploited, users of over 135,000 websites could find their personal data, including credit card information, threatened,” according to Checkmarx’s analysis of the plugins, published Tuesday.

One of the four plugins contained three vulnerabilities, the other three contained one each.

The study did not call out specific e-commerce plugins used by WordPress sites, nor did it identify which sites used the plugins. Researchers at the firm did not reveal whether the vulnerabilities had been patched by the plugin vendors or websites using them, either.

Developers behind WordPress e-commerce plugins have stayed busy patching issues over the past year. WooCommerce, a plugin that allows site owners to run an online store on top of the WordPress blogging platform, patched a persistent XSS vulnerability in July found by security researchers.

In April, an out-of-date version of a WordPress image slider plugin called RevSlider was to blame for the massive 2.5 terabyte data leak known as the “Panama Papers.” In June, an outdated version of the WordPress plugin WP Mobile Detector was impacted by a file update vulnerability that opened “porn spam doorways” on impacted sites.

In September, WordPress theme publisher DynamicPress fixed a flaw that let anyone upload malicious files to sites running its business-themed Neosense WordPress templates. The compromise impacted the site and possibly the server hosting it.

In its Website Hacked Report (PDF), released earlier this year, security firm Sucuri asserted 78 percent (8,900) of the total number of infected websites it investigated were WordPress sites. Of those infected WordPress sites, 50 percent of those websites were out of date, according Sucuri. It concluded it wasn’t the core WordPress platform itself that was vulnerable; but rather the plugins and themes used by site administrators.

“Vulnerabilities contained within plugins can easily, and quickly, infect millions of websites as was the case with the 2011 TimThumb LFI vulnerability which affected 1.2 million websites and caused the redirection of 200,000 WordPress based pages to rogue sites,” according to Checkmarx. TimThumb is a PHP script that resizes images for websites.

While a fix for the TimThumb plugin was pushed five years ago, there are still thousands of websites using the outdated and flawed version of the script to this day. Plugins RevSlider, GravityForms and TimThumb were responsible for the bulk of WordPress website infections in the first quarter of 2016, according to Sucuri.

Checkmarx is encouraging WordPress site operators to take steps to assure that themes and plugins are updated with the latest security patches. It also suggest downloading plugins from trusted sources and that site administrators frequent the WordPress Vulnerability Database for the latest warnings and updates.

For shoppers, the firm recommends double checking the validity of the SSL certificates used on sites and avoiding reusing the same password.

Suggested articles