20,000 e-commerce sites vulnerable to critical WordPress plugin flaws

Open source content management system forced to disable 10 plugins

UPDATE (07/06) A Multidots representative told The Daily Swig that a technical team had fixed all vulnerable plugins, which had subsequently been submitted to WordPress for review. At the time of writing, seven of the ten plugins have been approved and are live, with the last three expected to be published tomorrow.

Online shops using certain plugins made by the app provider Multidots are vulnerable to attack, researchers from security firm ThreatPress have said.

A total of 10 plugins, which were used to improve the functionality of shops operating on the WooCommerce platform, were removed from the WordPress plugin repository after Multidots failed to update them.

ThreatPress, a cybersecurity company focused on WordPress issues, said the vulnerabilities were disclosed to Multidots on May 5 and were identified as “highly dangerous.”

Sites that had installed the plugins were exposed to stored cross-site scripting (XXS), cross-site request forgery, and SQL injection, according to ThreatPress, putting the sensitive data they carried – such as credit card information – at serious risk of attack.

Approximately 19,400 of these plugins had been installed, leaving a significant amount of e-commerce stores susceptible to malware, keyloggers, and other malicious activity.

Multidots is reported to have told ThreatPress that it didn’t understand the vulnerabilities.

Writing in its blog, ThreatPress said: “We were waiting for information about updates of these plugins, but it took too long and there were no clear answers from the vendor about the expected update release date. After a few weeks the plugins were not patched.

“We decided to report this situation to the WordPress plugin repository security team. All WordPress plugins listed above were closed on May 23, 2018, and are no longer available for download.”

While these plugins have been removed, concern remains that many of the sites that installed them are likely to be unaware, ThreatPress said.

It added: “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way.

“We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”

The Daily Swig has reached out to Multidots for comment.