Quase 20.000 instalações do WordPress utilizam os plugins vulneráveis que estão disponíveis no theWordPress.org. Estes plugins implementam um conjunto de recursos para instalações WooCommerce que permitem que os administradores administrem as suas lojas on-line.
“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog postpublished by ThreatPress.
“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”
Os plugins multidots estão vulneráveis a cross-site scripting (XSS), cross-site request forgery (CSRF) e vulnerabilidades de injeção de SQL que podem ser exploradas por um invasor de forma a assumir o controlo total das instalações de comércio eletrónico.
As falhas foram identificadas como CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 e CVE-2018-11632, e podem permitir que ciberatacantes atuem através de um largo horizonte de ataque, como p.ex., instalação de criptominers maliciosos, ou kits de exploração de forma a disseminar malware.
“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.