Thursday, February 27, 2025
Follow us On Linkedin
HomeWordpressTen WordPress Plugins For WooCommerce Expose E-Commerce Stores to a Range of...

Ten WordPress Plugins For WooCommerce Expose E-Commerce Stores to a Range of Attacks

Wordpress

Published on

By Gurubaran
Ten WordPress Plugins For WooCommerce Expose E-Commerce Stores to a Range of Attacks

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Serious security flaws identified in ten WordPress Plugins could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.

All the plugins are developed by MULTIDOTS Inc to work only with WooCommerce (WordPress eCommerce Platform). The plugins vulnerability puts a number of Store Owners at risk.

Researchers from threatpress identified the ten WordPress Plugins and reported to MULTIDOTS Inc, but the vendor failed to patch the plugins.

So it has been reported by threatpress o the WordPress plugin repository security team and the plugins are taken down from the store on May 23, 2018. According to the WordPress plugin repository, over 19,400 active installs of these ten Vulnerable WordPress Plugins.

As there is too many up’s and down’s in WordPress usage, it requires a security consideration, so the WordPress Penetration testing is essential to find the vulnerabilities and to secure your WordPress powered blog.

Ten WordPress Plugins

WooCommerce Category Banner Management – Unauthenticated Settings Change
Add Social Share Messenger Buttons Whatsapp and Viber – Cross-site Request Forgery
Advanced Search for WooCommerce – Stored Cross-site scripting (XSS)
Eu Cookie Notice – Cross-site request forgery (CSRF)
Mass Pages/Posts Creator – Authenticated Stored Cross-Site Scripting (XSS)
Page Visit Counter – SQL Injection
WooCommerce Checkout For Digital Goods – Cross-site request forgery (CSRF)
WooCommerce Enhanced E-commerce Analytics Integration with Conversion Tracking – Cross-site request forgery (CSRF) and Stored Cross-site scripting (XSS)
WooCommerce Product Attachment – Authenticated stored Cross-site scripting (XSS)
Woo Quick Reports – Stored Cross-Site Scripting (XSS)

ten Vulnerable WordPress Plugins

“The author (MULTIDOTS Inc.) failed to fix the problem within a period of 3 weeks. It’s good to know that WordPress Security reacts quickly, but still, we have a big problem.” Threatpress published blog PoC for all the vulnerabilities.

These vulnerabilities tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632 and still, the vulnerabilities are not patched.

“We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Android

Google’s SafetyCore App Secretly Scans All Photos on Android Devices

Recent revelations about Google’s SafetyCore app have ignited a firestorm of privacy debates, echoing...
Apple

New “nRootTag” Attack Turns 1.5 Billion iPhones into Free Tracking Tools

Security researchers have uncovered a novel Bluetooth tracking vulnerability in Apple’s Find My network...
Cyber Security News

Authorities Arrested Hacker Behind 90 Major Data Breaches Worldwide

Cybersecurity firm Group-IB, alongside the Royal Thai Police and Singapore Police Force, announced the...
Cisco

Cisco Nexus Vulnerability Allows Attackers to Inject Malicious Commands

Cisco Systems has issued a critical security advisory for a newly disclosed command injection...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

CVE/vulnerability

Millions of WordPress Websites Vulnerable to Script Injection Due to Plugin Flaw

A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million...
CVE/vulnerability

90,000 WordPress Sites Exposed to Local File Inclusion Attacks

A critical vulnerability (CVE-2025-0366) in the Jupiter X Core WordPress plugin, actively installed on...
cyber security

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved