Welcart e-Commerce Plugin Bug Exposed WordPress Sites To Code Injection Attacks

A major and widely popular WordPress plugin potentially exposed sites to cyber attacks. Specifically, the vulnerability existed in the Welcart e-commerce plugin that risked thousands of WordPress sites.

Welcart e-Commerce Plugin Bug

Wordfence has once again identified a serious vulnerability in a WordPress plugin. This time, it’s the Welcart e-Commerce plugin that had a PHP object injection bug.

Elaborating on their findings in a blog post, the researchers revealed that they found a high-severity vulnerability in the plugin.

Briefly, Welcart e-Commerce plugin independently uses cookies to track user sessions. That’s where the bug existed, allowing an adversary to send malicious requests and exploit the improper cookie handling for code injection.

Every request to the site results in the usces_cookie being parsed by the get_cookie function. This function used usces_unserialize to decode the contents of this cookie.
Unfortunately, this meant that an attacker could send a request with the usces_cookie parameter set to a specially crafted string which, once unserialized, would inject a PHP object.

The bug hasn’t received a CVE ID yet but has attained a CVSS score of 7.5.

Patch Released

Welcart e-Commerce plugin is a popular plugin with a top market share in Japan. The plugin currently boasts over 20,000 active installations.

Wordfence discovered the bug in October 2020, after which, they reached out to the developers.

Consequently, the vendors fixed the vulnerability and rolled-out the patch with the release of plugin version 1.9.36.

According to the stats available on the plugin page, around 88% of the sites using this plugin are running version 1.9. However, it isn’t clear if all of them have upgraded to the latest version as well.

Also, a sufficient number of websites are still running the old plugin versions risking the sites’ security.

WordPress admins must ensure they update their websites with the latest versions of all plugins in use.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs