This month brought some bad news for eCommerce retailers whose sites run on WordPress: a hugely popular plugin has a hugely dangerous flaw. Welcart, which has a huge market share in Japan, allows hackers to steal credit card information and crash websites.
The news, though certainly damaging for Welcart, will do little to dent the popularity of WP. There are still plenty of reasons to choose WordPress for eCommerce, and plenty of excellent (and secure) examples of sites. Similarly, no-one is accusing WP of being insecure per se. The vulnerability does, however, highlight that plugins and themes, and even very popular ones, can be susceptible to data leaks and hacks.
In this article, we’ll explain the recently discovered vulnerability, look at a few similar issues that have emerged recently, and explore what they can tell us about the security of WP eCommerce more generally.
Welcart found to be vulnerable
Welcart is a plugin that is little known in the West, but has a huge market share in Japan. The plugin provides many useful features for eCommerce store owners, providing shopping cart functionality and a range of payment options. This has led to it being downloaded more than 20,000 times from the official WP store.
Unfortunately, Welcart is not as secure as it appears. In a blog post, security research firm WordFence explained that they had found a vulnerability in Welcart that would theoretically allow hackers to infiltrate sites. Though it must be stressed no such threats have been reported “in the wild,” the threat is a real and present one.
The bug was immediately categorized as a serious one by OSWAP, and the plugin’s publisher, Coline Inc., moved to patch their plugin. As of version 1.9.36 of Welcart, released in October, sites are reported to be safe. This, however, is not where the story ends. Although Coline should be applauded for moving so fast to close this security hole, it left many websites very vulnerable for weeks.
In addition, this was a particularly bad time for a major plugin vulnerability to appear – not just because the holiday season is almost upon us, but also because ransomware against WordPress sites has spiked alarmingly in the last year.
Anatomy of a glitch
With those factors in mind let’s take a closer look at the details of the recently discovered glitch, and use it to glean some lessons about how to secure eCommerce sites against code injection attacks.
Here’s how the attack works, explained for non-techies. The Welcart plugin actually uses a completely different set of cookies from the ones used by WP itself. Normally, there is nothing malicious about these cookies – they are used to keep track of user sessions. More specifically, Welcart calls a cookie named usces_cookie by using the get_cookie function. The plugin uses usces_unserialize to decode the contents of the cookie, allowing it to read the cookies that have already been delivered to users.
This is where things get dangerous. Researchers found that it is possible to set the usces_cookie parameter which would then inject PHP objects once unserialized. This issue should have (and would have) been picked up by dynamic application security testing protocols, or when applications are constantly scanned for vulnerabilities to detect them before they get worse, but it appears that this was not done properly on the Welcart cookie system.
In any case, hackers can use this hole to load a malicious PHP object into a WP site, and once this object is loaded, it can be used as a way to inject malicious code into the same site. As OSWAP puts it, “since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialized call, resulting in an arbitrary PHP object(s) injection into the application scope.”
Using this functionality, hackers could then make requests of a site’s PHP tables. PHP, for the uninitiated, is the database system that sits behind most WP sites, and holds sensitive data about customers and products. It is therefore possible that attackers could have gained access to names, addresses, or even the credit card information of individual customers.
The problem with plugins
It’s possible, of course, to overstate the importance or impact of this latest vulnerability. Nonetheless, it can be used to illustrate a much broader point – that all eCommerce owners need to be careful when choosing and installing plugins, and need to make sure they are kept updated.
WordPress plugins have become, in fact, a very “convenient” way for hackers to gain unwarranted access to sites. In September of this year, a significant flaw discovered in the Icegram’s Email Subscribers & Newsletters plugin was found to affect more than 100,000 individual WordPress websites.
Plugins are vulnerable for a number of reasons. One is the fact that many are designed to allow WP to communicate with other sites. Most people start to search for the products they need on online marketplaces, and as a result plugins that integrate WP with such marketplaces are very popular. Unfortunately, they are also vulnerable to hackers posing as these same marketplaces in order to extract information.
A second reason for the vulnerability is that plugins often stop being maintained by their creators, or site owners leave them installed long after they have been marked as obsolete. One of the most common cybercrimes are XSS attacks, which currently account for over half of all attacks launched against plugins. XSS attacks occur when scripts of a malicious nature are injected directly into the codes of outdated plugins, providing hackers access to the now compromised WordPress site.
Despite the dangers of running such unused or obsolete plugins and themes being well known, many eCommerce store owners simply don’t take the time to perform regular audits on their sites, and to remove any plugins and themes they no longer need.
The bottom line
All this said, you shouldn’t avoid plugins or themes altogether. After all, they are a part of the unique value of WP for many eCommerce store owners. There are many WordPress themes to boost your store, for instance, and plugins like Welcart provide an incredibly useful set of tools and services for eCommerce retailers.
However, the recent discovery of the vulnerability does bring home the importance of treading carefully. Just because a plugin has been downloaded many times, do not assume it is safe – instead, take the time for a quick online search to verify that it hasn’t been the source of recent hacks. Similarly, plan in a quarterly audit of the plugins and themes that you have installed, and delete the ones you are not using.
And finally, don’t assume that plugins are the only way to improve your site. There are also plenty of actionable website practices to boost your sales without relying on third-party plugins that may leave you vulnerable to hackers.