Ten WordPress Plugins By Multidots For WooCommerce Identified As Vulnerable And Dangerous
May 31, 2018 WooCommerce Security, WordPress Security
Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.
Vulnerable WordPress plugins
All these WordPress plugins were available on WordPress.org plugin repository and all of them were highly dangerous.
- WooCommerce Category Banner Management (Active installations: 3,000+) – Unauthenticated Settings Change
- Add Social Share Messenger Buttons Whatsapp and Viber (Active installations: 500+) – Cross-site Request Forgery (CSRF)
- Advance Search for WooCommerce (Active installations: 200+) – Stored Cross-site scripting (XSS)
- Eu Cookie Notice (Active installations: 600+) – Cross-site request forgery (CSRF)
- Mass Pages/Posts Creator (Active installations: 1,000+) – Authenticated Stored Cross-Site scripting (XSS)
- Page Visit Counter (Active installations: 10,000+) – SQL Injection
- WooCommerce Checkout For Digital Goods (Active installations: 2,000) – Cross-site request forgery (CSRF)
- WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking (Active installations: 1,000+) – Cross-site request forgery (CSRF) and Stored Cross-site scripting (XSS)
- WooCommerce Product Attachment (Active installations: 800+) – Authenticated stored Cross-site scripting (XSS)
- Woo Quick Reports (Active installations: 300+) – Stored Cross-Site Scripting (XSS)
Why are all these plugins closed now?
ThreatPress research team notified MULTIDOTS Inc. about security issues on 2018-05-08. We received a clear response that they do understand the problem. We were waiting for information about updates of these plugins, but it took too long and there were no clear answers from the vendor about the expected update release date. After a few weeks the plugins were not patched.
We decided to report this situation to the WordPress plugin repository security team. All WordPress plugins listed above were closed on May 23, 2018 and are no longer available for download.