A host of WordPress plugins contain serious flaws, including many e-commerce add-ons dealing with online payments, researchers have warned.
The vulnerable WordPress plugins detected by Tel-Aviv-based security firm Checkmarx were downloaded millions of times. The researchers warned the flaws could allow hackers to use the WordPress platform, the most popular CMS in the world, as a vehicle for mass infection and malware distribution.
The first test uncovered 18 vulnerable plugins, which were downloaded 18.5 million times. Some of those were produced by WordPress itself, which has now issued fixes, Checkmarx said.
All 18 had been updated by the time Checkmarx did its second test, but just six of the plugins were properly fixed by that time.
In its June test, the firm also found over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. Any sites running these vulnerable plugins are therefore vulnerable too.
A typical SQLi sees attackers attempt to get databases to cough up false information, usually by entering queries into search boxes or in a URL to cause the related SQL database to falter. Another kind of attack sees SQL queries entered into login boxes, attempting to get the server to accept it as a true statement and allow a login without a correct username or password. Automated tools make this kind of hit much easier to carry out.
“If the plugin is vulnerable, say to SQLi, so is the website vulnerable to that type of attack,” Maty Siman, Checkmarx CTO, told TechWeekEurope. “A hacker looking to perform a SQLi attack can simply take any one of the existing automated attack tools, point it to the vulnerable site and attempt to exploit it.”
The researchers also discovered seven out of top 10 most popular e-commerce plugins contained flaws. They were downloaded 1.7 million times.
Checkmarx did not reveal which plugins were vulnerable, but said they included social ones linking to Facebook and certain APIs.
The researchers said whilst it was clear there were some serious security problems with WordPress plugins, other platform providers suffer similar problems.
“The impact? Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details,” the company’s report read.
“Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”
What do you know about Internet security? Find out with our quiz!
Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…
British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues
After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…
OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…
Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…
After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…
View Comments
Not a happy report but not that surprising either. I find this article frustrating though, because what are we supposed to do with this knowledge without knowing which plugins are at risk...
Some crumbs please...
Thanks,
Bob
Hi Bob,
Have asked them repeatedly if they will name the WordPress plugins, but they don't want to disclose, as they work with devs to fix the issues.
Frustrating, but understandable... just.
Thanks for reading.
Tom Brewster
Deputy Editor