Security vulnerability of e-Commerce plugin Welcart openup websites to code injection. Researchers said that this can lead to payments skimmers being installed, crashing of the site or information retrieval via SQL injection.
According to WordPress, Welcart e-Commerce is a free WordPress plugin that has more than 20,000 installations. They have market share in Japan. With Welcart plugin site owners can add online shopping to their sites in a turn-key fashion, with 16 different payment options.
The high-severity bug which exists in the way the platform handles cookies is a PHP object-injection vulnerability.
Researchers also explained in a report on vulnerability that in order to track user sessions, it uses its own cookies, separate from the ones used by WordPress. The get_cookie function parsing every request to the site results in the usces_cookie. To decode the contents of this cookie, this function uses usces_unserialize.
By looking closely, researchers found that with the usces_cookie parameter set, a request could be send to a specially crafted string which, once unserialized, would inject a PHP object.
An application-level vulnerability that paves the way for code injection, SQL injection, path traversal and application denial of service, is a PHP object injection.
When user-supplied input is not properly sanitized before being passed to the unserialize() PHP function, a vulnerability occurs. As PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call.
PHP Object injections that allow an attacker to make use of what are known as magic methods, can be often used in a bigger exploit chain. Researchers also added it would allow remote code execution and complete site takeover. Fortunately, that’s not the case.
According to Wordfence, this plugin included a library, tcpdf, that could have been used with a destruct magic method, to create a POP chain under other circumstances. As the plugin unserialized the cookie before the TCPDF class was not loaded, which is why a complete POP chain was not present.
WordPress Plugins Vulnerabilities
For Cyber attacks, a convenient avenue is continued to be provided by WordPress Plugins to Cybercriminals.
In October, two high-severity vulnerabilities, which open the door to site takeovers were disclosed in a WordPress plugin called Post Grid (a WordPress plugin with more than 60,000 installations). In September, more than 100,000 WordPress websites were found affected by a high-severity flaw in the Email Subscribers & Newsletter plugin.
In August, two critical vulnerabilities were patched in a plugin that is designed to add quizzes and surveys to WordPress websites. To launch varying attacks including fully taking over vulnerable websites, the flaw could be exploited by unauthorized attackers.
In August Newsletter, another WordPress plugin was discovered to have a pair of vulnerabilities that could lead to code-execution. The plugin was installed 300,000 times.
Researchers in July warned about a critical vulnerability of WordPress plugin called Comments – wpDiscuz. This plugin was also installed on more than 70,000 websites. To upload arbitrary files and ultimately execute remote code on vulnerable website servers, the flaw gave authority to unauthenticated attackers.