WordPress plugins for WooCommerce by Multidots endangered thousands of online stores

Multidots Inc. is a software development company from India that has developed a wide range of various WordPress plugins. About a month ago ThreatPress Security Research Team found a lot of vulnerabilities in ten plugins designed by Multidots to extend the capabilities of WooCommerce. As you can understand, these plugins designed for online stores powered by WooCommerce / WordPress. ThreatPress notified the Multidots instantly about the issues with their WordPress plugins, usually developer fixes problem as soon as possible, but in this case, everything went quite a different way.

Vulnerable plugins by Multidots

So, overall ThreatPress found that there are ten vulnerable plugins. All of them hosted on WordPress.org plugin repository. Here’s the list of these plugins (plugin name, active installs and vulnerability type):

Continue reading WordPress plugins for WooCommerce by Multidots endangered thousands of online stores

WordPress plugins – closed, abandoned and dangerous

WordPress plugins, and more precisely their security is one of the most common causes of website hacks. There are more than 55,000 plugins available on the WordPress.org plugin directory. More of them are available at Codecanyon and other similar plugin directories or numerous plugin vendor sites. Checking all the code lines of each plugin is impossible. No one knows how much of them are vulnerable. Vulnerable plugins periodically identified by WordPress community or WordPress security companies.

In most cases, these vulnerabilities fixed as soon as possible. But sometimes WordPress Security Team closes vulnerable plugins if there are no updates from authors within a specified period or plugin poses a high threat. And here we have a huge problem. By closing a vulnerable plugin WordPress Security Team protects all users from downloading an unsafe software, but what about those who already have those plugins installed on their websites?

Closed WordPress plugins by Multidots

I will write a separate post about this case, but now I want to use it as an example. Recently WordPress security company ThreatPress found ten vulnerable WordPress plugins designed for WooCommerce function extension. They notified Multidots Inc. about the security issues of their products. Later ThreatPress research team informed WordPress Security Team since there were no updates for several weeks. All ten plugins – closed. Continue reading WordPress plugins – closed, abandoned and dangerous

ThreatPress report of WordPress vulnerabilities for the 2017 year

ThreatPress published a summary of all WordPress vulnerabilities detected in the 2017 year. This beautiful info-graphic (below) gives statistical information collected from ThreatPress database of WordPress vulnerabilities and data available on such open sources like WordPress.org website.

All of the WordPress plugins that were marked as vulnerable in the 2017 year have more than seventeen million active installs. Just imagine how many sites were at potential risk. I think we’re talking about a number that exceeds five million websites. Five million!!! OK, let’s see what more do we have on this infographic.

ThreatPress 2017 year report in numbers

  • 221 vulnerability added to the database of WordPress vulnerabilities compared to the 234 vulnerabilities in the 2016 year.
  • 202 plugins were identified as vulnerable, 153 of them hosted on WordPress.org plugin repository.
  • 5 WordPress themes were identified as vulnerable, this number could be much bigger, but it’s hard to access and check themes from premium repositories.
  • The most common vulnerability type was a Cross-Site Scripting (XSS) with a SQL Injection (SQLi) on a second place and Broken Access Control on the third.
  • Other quite common vulnerability types in the 2017 year were Cross-Site Request Forgery (CSRF), Arbitrary File Upload, BYPASS, Arbitrary File Download, PHP Object Injection and Local File Inclusion.
  • Top five vulnerable plugins in the 2017 year (by the number of active installs according to WordPress.org data) were Yoast SEO, WooCommerce, Smush Image Compression and Optimisation, Duplicator and Loginizer.
  • There were 8 WordPress security-related releases in the 2017 year.

Continue reading ThreatPress report of WordPress vulnerabilities for the 2017 year

WordPress turns 14, and it’s already the coolest kid on the block

WordPress celebrates its fourteenth birthday, and I would like to salute Matt Mullenweg, Mike Little, Automattic, and the whole WordPress community. We have raised the coolest kid on the block, and it rocks the world. Fourteen years ago it was hard to predict the success of WordPress and its way of evolution. It started as a b2/cafelog fork on May 27, 2003, and now it is the most popular content management system on the planet. Now it powers more than a quarter of all websites. It means WordPress proudly powers every fourth site on the Internet.

WordPress evolution key points

  • May 27, 2003 – first version released.
  • June 6, 2003 – first update released.
  • June 9, 2003 – full-fledged verion 0.71 now available.
  • January 3, 2004 – version 1.0 (Miles Davis) says Hello World!
  • December 31, 2005 – version 2.0 (Duke Ellington) released.
  • March 10, 2006 – first ever security release 2.02 available.
  • October 23, 2006 – MU 1.0 and bbPress introduced.
  • June 17, 2010 – version 3.0 (Thelonious Monk) released.
  • September 4, 2014 – version 4.0 (Benny Goodman) hits the road.
  • May 25, 2017 – two days before fourteenth birthday version 4.8 RC released.

Continue reading WordPress turns 14, and it’s already the coolest kid on the block