A major and widely popular WordPress plugin potentially exposed sites to cyber attacks. Specifically, the vulnerability existed in the Welcart e-commerce plugin that risked thousands of WordPress sites.
Welcart e-Commerce Plugin Bug
Wordfence has once again identified a serious vulnerability in a WordPress plugin. This time, it’s the Welcart e-Commerce plugin that had a PHP object injection bug.
Elaborating on their findings in a blog post, the researchers revealed that they found a high-severity vulnerability in the plugin.
Every request to the site results in the
usces_cookiebeing parsed by the
get_cookiefunction. This function used
usces_unserializeto decode the contents of this cookie.
Unfortunately, this meant that an attacker could send a request with the
usces_cookieparameter set to a specially crafted string which, once unserialized, would inject a PHP object.
The bug hasn’t received a CVE ID yet but has attained a CVSS score of 7.5.
Welcart e-Commerce plugin is a popular plugin with a top market share in Japan. The plugin currently boasts over 20,000 active installations.
Wordfence discovered the bug in October 2020, after which, they reached out to the developers.
Consequently, the vendors fixed the vulnerability and rolled-out the patch with the release of plugin version 1.9.36.
According to the stats available on the plugin page, around 88% of the sites using this plugin are running version 1.9. However, it isn’t clear if all of them have upgraded to the latest version as well.
Also, a sufficient number of websites are still running the old plugin versions risking the sites’ security.
WordPress admins must ensure they update their websites with the latest versions of all plugins in use.