WordPress plugin is used by over 660,000 online stores

Jun 12, 2015 14:16 GMT  ·  By

WooCommerce for WordPress content management system (CMS) has been updated to address a serious vulnerability that could allow a threat actor to download arbitrary files from the server, such as databases with login information.

The plugin is a complete eCommerce solution for the CMS that allows users to sell anything through their websites. Its popularity is accounted for by the more than 1 million currently active installations.

WooThemes, the developer of the plugin, says that the solution has been downloaded more than 8.1 million times and it serves 24% of all eCommerce sites, which would translate to over 660,000 online shops.

Serious security flaw can bring business down

According to Sucuri, the weakness is present only if the “PayPal Identity Token” option is enabled, as it opens the door for a PHP Object Injection type of vulnerability. Exploiting it depends on the configuration of each website, but the palette of attacks includes code injection, SQL injection and application denial of service.

During tests, the researchers mixed “WordPress and WooCommerce components with a known PHP bug (CVE-2013-1643) to download critical files, files like wp-config.php.” The file contains highly sensitive information (database credentials, secret keys) that could lead to complete compromise of the website.

“It is worth noting that even if your site doesn’t run on top of an old version of PHP a lot of different attack vectors an attacker could be used depending on what extensions you have available,” Marc-Alexandre Montpas from Sucuri warns.

Details disclosed, exploit code can be crafted

Technical details about the vulnerability have been disclosed, which could be used by threat actors to create working exploits.

As such, admins relying on WooCommerce for handling online sales are strongly recommended to update the software to the latest version, currently 2.3.11, without any delay.

Michael Weichselgartner, an expert in WordPress and WooCommerce, says that cybercriminals take about 12 hours since the disclosure of a vulnerability to create malicious code to leverage it.

WooCommerce is a complete eCommerce solution
WooCommerce is a complete eCommerce solution

Photo Gallery (2 Images)

WooCommerce offers built-in reports and statistics
WooCommerce is a complete eCommerce solution
Open gallery