Vulnerability via Security Flaw in Unmaintained Plugin

Blog, Plugins, Security Share this post

Webmasters still using the deprecated WP Marketplace WordPress plugin should update to a new e-commerce utility as soon as possible, and remove the plugin from their sites in order to avoid having their servers compromised.

The reason for this warning is a security flaw that affects the plugin. The issue allows an attacker to upload arbitrary files on websites where this plugin is installed.

Depending on the attacker’s skills, the proper files and exploits, a third-party can potentially take over a site’s underlying server.

Attackers scanning for vulnerable websites

Security researchers from White Fir Design discovered this flaw, which is an arbitrary file upload vulnerability. The company says it discovered the issue after they detected scans for the plugin’s CSS file on various websites.

“Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something,” a White Fir researcher said. “We have also seen some requests for the file in the third-party data we monitor as well.”

The company discovered the flaw on Friday, October 14, when they contacted the WordPress.org Plugin Directory team, who removed the plugin from their site.

WP Marketplace plugin abandoned 8 months ago

The plugin, created by a developer that goes by the name Shaon, was quite popular a few years back, being a simple solution for running an online store, and was specialized in selling digital products. In the meantime, the developer created a newer plugin, for the same purpose, with more features, called WordPress Download Manager.

As such, he announced on WP Marketplace’s page that he stopped development on the plugin, which received the last update over eight months ago. According to WordPress.org, WP Marketplace still had between 400 and 500 active installs.

According to White Fir Design, Shaon’s latest plugin, WordPress Download Manager, suffers from an authenticated arbitrary file upload vulnerability as well. The company says the issue remains unfixed at the time of writing. The plugin is still available via the WordPress.org plugin repository.

Today, fellow WordPress security firm Sucuri have said they detected scans for the WP Marketplace plugin as well.

WP Marketplace plugin interface

Thanks for reading and please subscribe to our blog by clicking here 

For help updating, mobile or SEO  please email or call 1 877 889 2573.


About the Author

Wordpress Developer, Security Consultant, Blogger. Works in Edmonton Alberta Canada.

Leave a Reply

Your email address will not be published. Required fields are marked *