The Black Friday and the Cyber Monday are upon us and security experts from Checkmarx are questioning the security of some of the top WordPress e-commerce plugins that are currently used in more than 100,000 commercial websites.
Checkmarx analyzed the top 12 WordPress e-commerce plugins discovering that four of them are affected by severe vulnerabilities, including reflected cross-site scripting, SQL injection, and file manipulation flaws.
“Out of the 12 plugins we are scanning we have detected high-risk vulnerabilities in at least four of them. One plugin contained three vulnerabilities while the other three each contained one. Of the found vulnerabilities so far, Reflected XSS was found on three plugins, an SQL injection was found on one plugin, Second Order SQL Injection found on one plugin with File Manipulation also being detected on one plugin.” reported the analysis published by Checkmarx. “Of the vulnerabilities that we have detected so far, if they were exploited, the users of over 135,000 websites could find their personal data threatened by malicious parties or cyber criminals.”
The document includes an explanation for most popular flaws affecting WordPress based websites such as reflected cross-site scripting, SQL injection, and file manipulation flaws.
The report doesn’t refer specific e-commerce plugins used by WordPress sites and doesn’t provide information about the commercial platform using it.
Businesses powering e-commerce platform based on WordPress should download plugins only from trusted sources (WordPress.org).
The researchers also suggest scanning the source code of the plugins with a static source code analysis solutions to discover if they are affected by the above vulnerabilities.
Patch management assumes a crucial importance to secure e-commerce websites running on the WordPress CMS, administrators have to constantly maintain plugins up to date.
The report provides useful suggestions to cyber Monday and black Friday shoppers such as:
[adrotate banner=”9″]
(Security Affairs – Black Friday, e-commerce)