Friday, February 7, 2025
HomeWordpressTen WordPress Plugins For WooCommerce Expose E-Commerce Stores to a Range of...

Ten WordPress Plugins For WooCommerce Expose E-Commerce Stores to a Range of Attacks

Published on

SIEM as a Service

Follow Us on Google News

Serious security flaws identified in ten WordPress Plugins could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.

All the plugins are developed by MULTIDOTS Inc to work only with WooCommerce (WordPress eCommerce Platform). The plugins vulnerability puts a number of Store Owners at risk.

Researchers from threatpress identified the ten WordPress Plugins and reported to MULTIDOTS Inc, but the vendor failed to patch the plugins.

So it has been reported by threatpress o the WordPress plugin repository security team and the plugins are taken down from the store on May 23, 2018. According to the WordPress plugin repository, over 19,400 active installs of these ten Vulnerable WordPress Plugins.

As there is too many up’s and down’s in WordPress usage, it requires a security consideration, so the WordPress Penetration testing is essential to find the vulnerabilities and to secure your WordPress powered blog.

Ten WordPress Plugins

WooCommerce Category Banner Management – Unauthenticated Settings Change
Add Social Share Messenger Buttons Whatsapp and Viber – Cross-site Request Forgery
Advanced Search for WooCommerce – Stored Cross-site scripting (XSS)
Eu Cookie Notice – Cross-site request forgery (CSRF)
Mass Pages/Posts Creator – Authenticated Stored Cross-Site Scripting (XSS)
Page Visit Counter – SQL Injection
WooCommerce Checkout For Digital Goods – Cross-site request forgery (CSRF)
WooCommerce Enhanced E-commerce Analytics Integration with Conversion Tracking – Cross-site request forgery (CSRF) and Stored Cross-site scripting (XSS)
WooCommerce Product Attachment – Authenticated stored Cross-site scripting (XSS)
Woo Quick Reports – Stored Cross-Site Scripting (XSS)

ten Vulnerable WordPress Plugins

“The author (MULTIDOTS Inc.) failed to fix the problem within a period of 3 weeks. It’s good to know that WordPress Security reacts quickly, but still, we have a big problem.” Threatpress published blog PoC for all the vulnerabilities.

These vulnerabilities tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632 and still, the vulnerabilities are not patched.

“We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS...

WordPress Plugin Vulnerability Exposes 23k+ Websites to Hacking

Researchers from Patchstack have warned that over 23,000 real estate websites using the popular...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...