Is your e-commerce website vulnerable to code injection attacks?

Nadejda

· 31st December 2020·Website Security

Is your e-commerce website vulnerable to code injection attacks?

It is a well-known fact, that despite WordPress’s popularity, themes and plugins, especially the popular ones, are susceptible to hacks and data leaks.

A hugely popular plugin has been discovered to have a dangerous flaw. Welcart, usually known in the Japan market, gives hackers the opportunity to crash websites and steal credit card information.

This plugin is a little known in the West, as it supports many useful features for e-commerce store owners. It provides shopping cart functionality and a number of payment options. It has been downloaded more than 20,000 times from the official WordPress store.

Unfortunately, it’s not as secure as it looks. Recently, the security research firm WordFence announced that they have found a vulnerability in the plugin which in theory will allow hackers to infiltrate a website. Currently no such case has been reported, but this is a very real and present threat.

It’s also bad timing to locate such a vulnerability, not just because of the holiday season and increase shopping, but also of the spike in ransomsomeware against WordPress websites this year.

What was the glitch?

For all of you non-tech people out there, this is how the glitch works. The Welcart plugin uses a completely different set of cookies compared to the ones used by WordPress. In normal cases there is nothing dangerous about these cookies as they only keep track of users’ sessions. Welcart calls a cookie called usces_cookie by using the get_cookie function. The plugin then uses usces_unserialize in order to decode the contents of the cookies, which will then allow it to read the cookies which have already been delivered to the users.

Here comes the dangerous part. According to research it’s possible to set the usces_cookie parameter which would then inject PHP objects once unserialized. This problem would have been picked up by dynamic application security testing protocols, or in cases when applications are constantly scanning for vulnerabilities so that they can detect them before they get worse, in the plugin’s case, however, this was not done properly.

Hackers could take advantage of this hole and load of malicious PHP object into the WordPress website. Once this object is loaded, it can inject malicious code into the same website.

With the help of this functionality, hackers could make requests of other websites’s PHP tables. It’s possible that in this case hackers could have gained access to names and addresses, as well as credit card information of customers.

What is the problem with plugins?

This vulnerability illustrates a much broader topic - all e-commerce owners need to be extremely careful when installing new plugins, and they need to keep them up-to-date.

Recently WordPress has become a very convenient way for attackers to gain access to websites. There are a number of ways which make plugins vulnerable. Many of them are designed to allow WordPress to communicate with other websites. Users start searching for the products they’re looking for on online marketplaces, in which case plugins which integrate WordPress with such marketplaces become very popular. This also makes them vulnerable to hackers which pose as the same marketplaces and extract information.

Another reason for the vulnerability is that plugins, once released, stop being maintained by their creators. A very common cyber crime are XSS attacks, which are considered to be over half of all attacks against plugins. They occur when scripts of malicious nature are injected into the codes of outdated plugins, which gives attackers access to the compromised WordPress website.

Despite knowing the threat of such outdated plugins and themes, a lot of the website owners don’t have the time to perform regular checks on their website and remove the unnecessary themes and plugins.

Conclusion

This does not mean that you should avoid new themes and plugins altogether. They are a part of the value of WordPress for a lot of e-commerce store owners a number of WordPress themes can boost your store, while plugins similar to Welcart can provide useful set of tools and services for a lot of online retailers.

The problem with this vulnerability, however, brings the question of importance of treading carefully. Although a plugin has been downloaded many times this does not make it safe – take your time and do an online search to verify that it was not a victim of malicious attacks. Also, make sure to plan a quarterly audit of the plugins and themes which you have installed, and remove the ones you’re not using.

Lastly, do not assume that plugins are the only way with which you can improve your website. There are a number of actionable website practices which you can use to boost your sales and not rely on third-party plugins which could make your website vulnerable to hackers.

Nadejda
Nadejda Milanova