Multidots Inc. is a software development company from India that has developed a wide range of various WordPress plugins. About a month ago ThreatPress Security Research Team found a lot of vulnerabilities in ten plugins designed by Multidots to extend the capabilities of WooCommerce. As you can understand, these plugins designed for online stores powered by WooCommerce / WordPress. ThreatPress notified the Multidots instantly about the issues with their WordPress plugins, usually developer fixes problem as soon as possible, but in this case, everything went quite a different way.
Vulnerable plugins by Multidots
So, overall ThreatPress found that there are ten vulnerable plugins. All of them hosted on WordPress.org plugin repository. Here’s the list of these plugins (plugin name, active installs and vulnerability type):
- WooCommerce Category Banner Management (Active installations: 3,000+) – Unauthenticated Settings Change
- Add Social Share Messenger Buttons Whatsapp and Viber (Active installations: 500+) – Cross-Site Request Forgery (CSRF)
- Advance Search for WooCommerce (Active installations: 200+) – Stored Cross-Site Scripting (XSS)
- Eu Cookie Notice (Active installations: 600+) – Cross-Site Request Forgery (CSRF)
- Mass Pages/Posts Creator (Active installations: 1,000+) – Authenticated Stored Cross-Site Scripting (XSS)
- Page Visit Counter (Active installations: 10,000+) – SQL Injection
- WooCommerce Checkout For Digital Goods (Active installations: 2,000) – Cross-Site Request Forgery (CSRF)
- WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking (Active installations: 1,000+) – Cross-Site Request Forgery (CSRF) and Stored Cross-site scripting (XSS)
- WooCommerce Product Attachment (Active installations: 800+) – Authenticated stored Cross-Site Scripting (XSS)
- Woo Quick Reports (Active installations: 300+) – Stored Cross-Site Scripting (XSS)
I was a little disappointed by the whole course of events and how Multidots reacted to the entire situation. Well, first of all, I need to mention, that everything started about one month ago. They received an email from ThreatPress about all vulnerabilities found in their WordPress plugins.
After almost a few weeks, no plugins have been updated and fixed. Thousands of WooCommerce stores were under real threat because the vulnerabilities were severe and hackers could exploit them at any time.
A decision was made to report vulnerabilities to the WordPress Security Team. Right after submission of all necessary information, all ten plugins were closed by WordPress Security Team.
Guys from WordPress did a great job by reacting instantly to the report. However, few problems do not give me peace. The first thing is the absence of alerts about closed WordPress plugins using the same method, which informs you about available WordPress core, plugin or theme update(s). You can read more about this issue in my blog post about security threats caused by closed WordPress plugins.
Second and the biggest problem is the way how Multidots managed this situation. There was no rush to fix the vulnerable code. Knowing that all vulnerable plugins were designed to extend the capabilities of WooCommerce, I can’t imagine what would happen if some hacker was first to find those vulnerabilities. How many credit card numbers and personal data could be leaked?
The third problem is how Multidots concealed information about serious vulnerabilities. They managed to update several plugins and now they again available to download from WordPress.org plugin repository. And it’s great. I’m pleased that they managed to do it. But now let’s look up at the changelog of one of the restored plugins.
From when we started to call SQL Injection (SQLi) as “minor bug”? I would say a minor bug that could cause a major catastrophe? This is one of the most irresponsible acts. Why?
Plugin users will not hurry to update the plugin after seeing this changelog record. Who will bother with a “minor fix”? I think they tried to protect their brand name by hiding the real fix reason, but it’s unfair and irresponsible.
And the last disappointment is that ThreatPress is not mentioned in a changelog or on the Multidots as a company that detected vulnerabilities and saved Multidots clients from possible hacks.
I just want to warn WooCommerce web store owners to follow cybersecurity news more often and constantly check their software status. You can use the ThreatPress Security and Monitoring plugin to avoid similar situations, you’ll be notified instantly if any of your plugins or themes will be identified as vulnerable. I would recommend software developers to respond more adequately to security incidents than Multidots did.