The Black Friday and the Cyber Monday are upon us and security experts from Checkmarx are questioning the security of some of the top WordPress e-commerce plugins that are currently used in more than 100,000 commercial websites.
Checkmarx analyzed the top 12 WordPress e-commerce plugins discovering that four of them are affected by severe vulnerabilities, including reflected cross-site scripting, SQL injection, and file manipulation flaws.
“Out of the 12 plugins we are scanning we have detected high-risk vulnerabilities in at least four of them. One plugin contained three vulnerabilities while the other three each contained one. Of the found vulnerabilities so far, Reflected XSS was found on three plugins, an SQL injection was found on one plugin, Second Order SQL Injection found on one plugin with File Manipulation also being detected on one plugin.” reported the analysis published by Checkmarx. “Of the vulnerabilities that we have detected so far, if they were exploited, the users of over 135,000 websites could find their personal data threatened by malicious parties or cyber criminals.”
The document includes an explanation for most popular flaws affecting WordPress based websites such as reflected cross-site scripting, SQL injection, and file manipulation flaws.
The report doesn’t refer specific e-commerce plugins used by WordPress sites and doesn’t provide information about the commercial platform using it.
Businesses powering e-commerce platform based on WordPress should download plugins only from trusted sources (WordPress.org).
The researchers also suggest scanning the source code of the plugins with a static source code analysis solutions to discover if they are affected by the above vulnerabilities.
Patch management assumes a crucial importance to secure e-commerce websites running on the WordPress CMS, administrators have to constantly maintain plugins up to date.
The report provides useful suggestions to cyber Monday and black Friday shoppers such as:
(Security Affairs – Black Friday, e-commerce)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.