Another vulnerability has been found in a WordPress plug-in, this one an arbitrary variable overwrite, which was publicly disclosed Wednesday by High-Tech Bridge Security Research Lab. The eShop WordPress Plugin version 6.3.11 was discovered on April 15 to have insufficient validation of user-supplied input in the “eshopcart” HTTP cookie.
eShop is shopping cart plugin with a variety of features, and is used by over 10,000 websites, all of which are potentially vulnerable, pending a patch.
A remote attacker can exploit the vulnerability by overwriting arbitrary PHP variables within the scope of the checkout function of the application. High-Tech Bridge reports that this could potentially result in arbitrary PHP code execution, “however in this case we can only overwrite string variables within the scope of ‘eshop_checkout()’ function in ‘/wp-content/plugins/eshop/checkout.php’ file. This reduces our current vectors of exploitation to Full Path Disclosure and Cross-Site Scripting.”
Cross-site scripting (XSS) vulnerabilities have been plaguing WordPress lately, and forced the release of 4.2.1 last week. Most WordPress vulnerabilities are discovered in plugins, including a rash of them lately, which many WordPress users are also not keeping up to date.
Despite this, eShop vendor Rich Pedley had not responded to any of High-Tech Bridge’s three attempts at disclosure prior to Wednesday’s public announcement. High-Tech Bridge recommends that website operators use a penetration testing service, like its ImmuniWeb SaaS offering, to alert them of hacking risks.
Service providers offering security testing and tools, backup, and related products continue to have a healthy market in the roughly one-third of all sites currently exposed to security risks, according to a recent Menlo Security study.