A security vulnerability in the Welcart e-Commerce plugin opens up websites to code injection. This can lead to payment skimmers being installed, crashing of the site or information retrieval via SQL injection, researchers said.
Welcart e-Commerce is a free WordPress plugin that has more than 20,000 installations – it enjoys top market share in Japan, according to WordPress. It allows site owners to add online shopping to their sites in a turn-key fashion, with options to sell physical merch, digital goods and subscriptions, with 16 different payment options.
The high-severity bug (CVE is pending) is a PHP object-injection vulnerability, which exists in the way the platform handles cookies, according to Wordfence.
“It uses its own cookies, separate from the ones used by WordPress, in order to track user sessions,” researchers explained in a Thursday posting on the vulnerability. “Every request to the site results in the usces_cookie being parsed by the get_cookie function. This function used usces_unserialize to decode the contents of this cookie.”
Looking closer, researchers found that it’s possible to send a request with the usces_cookie parameter set to a specially crafted string which, once unserialized, would inject a PHP object.
PHP object injection is an application-level vulnerability that paves the way for code injection, SQL injection, path traversal and application denial-of-service.
“The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function,” according to OSWAP. “Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.”
PHP Object injections can often be used in a bigger exploit chain that allows an attacker to make use of what are known as magic methods, researchers added – which would allow remote code execution and complete site takeover. Fortunately, that’s not the case here.
“This plugin included a library, tcpdf, that contains a __destruct magic method that could have been used to create a POP chain under other circumstances,” according to Wordfence. “A complete POP chain was not present because the plugin unserialized the cookie before the TCPDF class was loaded and defined, so it was not possible to inject an object with this class.”
The plugin’s publisher, Collne Inc., patched the issue in version 1.9.36 of Welcart, released in October. Site admins should upgrade as soon as they can.
Plug-in Problems
WordPress plugins continue to provide a convenient avenue to attack for cybercriminals.
In October, two high-severity vulnerabilities were disclosed in Post Grid, a WordPress plugin with more than 60,000 installations, which open the door to site takeovers. And in September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.
Earlier, in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.