Online merchants using WordPress as a platform can become victims of a new remote code execution flaw. A new security report reveals that the bug can interact with the WooCommerce plugin, as a result the criminals can overtake the shops.
WooCommerce Sites Can Be Hijacked By The WordPress Bug: The Hackers Will Take Control
The WordPress content management system as a popular tool for setting up websites of all types, including web shops. It has now turned out that a team of security researchers discovered a critical flaw in it. According to the released information the e-commerce plugin is affected by a file deletion bug which allows hackers to take over control of the sites. This is done by escalating their privileges and eventually executing the necessary code on the hacked sites.
The quoted reason is the “roles” system which is used to assign the privilege access levels to the visitors of the shop. By deleting a certain file via the main WordPress bug the hackers will be able to overtake control of the shops. Access to the configuration file can be done via several of the popular intrusion strategies:
- Cross-Site Scripting (XSS) Attacks — They seek to manipulate the browsers by calling dangerous scripts and commands that can lead to the execution of the necessary code. They are often located on fake web sites or communities. In many cases th hackers can mask them as useful tutorials or guides.
- Phishing Sites — The criminals can also construct fake landing pages that pose as official domains of WordPress or the WooCommerce plugin. They can use similar sounding domain names or security certificates in order to coerce the visitors into interacting with them.
- Virus Infections — Malware infections like Trojans can manipulate the system into executing the dangerous behavior.
We remind our readers that WordPress sites are constantly being targeted by various attacks, a recent example is the [wplinkpreview url=”https://sensorstechforum.com/wordpress-site-owners-targeted-global-phishing-scam/”]September global phishing scam. A patch fixing the arbitrary file deletion vulnerability was released to WordPress site owners in October. We recommend that all users apply all the latest updates to secure their online shops. For more information on the matter read the public disclosure.