The website owners who are using deprecated WP Marketplace WordPress plugin must upgrade to latest e-commerce utility as soon as possible and remove the old plugin from your websites, as the plugin is compromising the web servers.
The main reason we are warning is because the plugin has a security flaw that allows an attacker to upload whatever file he want in your website wherever the plugin is used.
If the attacker is very skilled, he can even take down the site’s underlying server.
Security researchers from White Fir Design discovered this flaw, which is an arbitrary file upload vulnerability. The company says it discovered the issue after they detected scans for the plugin’s CSS file on various websites.
“Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something,” a White Fir researcher said. “We have also seen some requests for the file in the third-party data we monitor as well.”
The company discovered the flaw on Friday, October 14, when they contacted the WordPress.org Plugin Directory team, who removed the plugin from their site.
The plugin, created by a developer that goes by the name Shaon, was quite popular a few years back, being a simple solution for running an online store, and was specialized in selling digital products. In the meantime, the developer created a newer plugin, for the same purpose, with more features, called WordPress Download Manager.
As such, he announced on WP Marketplace’s page that he stopped development on the plugin, which received the last update over eight months ago. According to WordPress.org, WP Marketplace still had between 400 and 500 active installs.
According to White Fir Design, Shaon’s latest plugin, WordPress Download Manager, suffers from an authenticated arbitrary file upload vulnerability as well. The company says the issue remains unfixed at the time of writing. The plugin is still available via the WordPress.org plugin repository.
