A major and widely popular WordPress plugin potentially exposed sites to cyber attacks. Specifically, the vulnerability existed in the Welcart e-commerce plugin that risked thousands of WordPress sites.
Welcart e-Commerce Plugin Bug
Wordfence has once again identified a serious vulnerability in a WordPress plugin. This time, it’s the Welcart e-Commerce plugin that had a PHP object injection bug.
Elaborating on their findings in a blog post, the researchers revealed that they found a high-severity vulnerability in the plugin.
Briefly, Welcart e-Commerce plugin independently uses cookies to track user sessions. That’s where the bug existed, allowing an adversary to send malicious requests and exploit the improper cookie handling for code injection.
Every request to the site results in the
usces_cookiebeing parsed by theget_cookiefunction. This function usedusces_unserializeto decode the contents of this cookie.
Unfortunately, this meant that an attacker could send a request with theusces_cookieparameter set to a specially crafted string which, once unserialized, would inject a PHP object.
The bug hasn’t received a CVE ID yet but has attained a CVSS score of 7.5.
Patch Released
Welcart e-Commerce plugin is a popular plugin with a top market share in Japan. The plugin currently boasts over 20,000 active installations.
Wordfence discovered the bug in October 2020, after which, they reached out to the developers.
Consequently, the vendors fixed the vulnerability and rolled-out the patch with the release of plugin version 1.9.36.
According to the stats available on the plugin page, around 88% of the sites using this plugin are running version 1.9. However, it isn’t clear if all of them have upgraded to the latest version as well.
Also, a sufficient number of websites are still running the old plugin versions risking the sites’ security.
WordPress admins must ensure they update their websites with the latest versions of all plugins in use.
