Plugins Wordpress da Multidots deixa websites ecommerce vulneráveis

Investigadores da empresa ThreatPress descobriram vulnerabilidades de segurança em dez plugins WordPress desenvolvidos pela Multidots, uma empresa de sites de comércio eletrónico.

Quase 20.000 instalações do WordPress utilizam os plugins vulneráveis que estão disponíveis no theWordPress.org. Estes plugins implementam um conjunto de recursos para instalações WooCommerce que permitem que os administradores administrem as suas lojas on-line.

“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog postpublished by ThreatPress.
“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”

Os plugins multidots estão vulneráveis a cross-site scripting (XSS), cross-site request forgery (CSRF) e vulnerabilidades de injeção de SQL que podem ser exploradas por um invasor de forma a assumir o controlo total das instalações de comércio eletrónico.

As falhas foram identificadas como CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 e CVE-2018-11632, e podem permitir que ciberatacantes atuem através de um largo horizonte de ataque, como p.ex., instalação de criptominers maliciosos, ou kits de exploração de forma a disseminar malware.

Os investigadores alertam ainda que algumas vulnerabilidades podem ser exploradas sem qualquer interação do utilizador.

Os investigadores da ThreatPress comunicaram a falha à Multidots em 8 de maio de 2018. A empresa reconheceu as falhas de imediato, mas ainda não as resolveu.

ThreatPress publicou detalhes técnicos das vulnerabilidades e para cada uma delas um código de prova de conceito (PoC).

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”

Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.