This month, there was bad news for e-commerce retailers operating websites on WordPress. Very popular plug-ins have very dangerous defects. Welcart has a huge market share in Japan, allowing hackers to steal credit card information and tamper with websites. This news will indeed bring losses to welcart, but it will hardly help reduce the popularity of WP. There are still many reasons for choosing WordPress for e-commerce. There are many excellent and safe website examples. Similarly, no one accuses WP of instability. However, this vulnerability emphasizes that plug-ins and themes, even very popular themes, may also be vulnerable to data leakage and hacker attacks. The
This article introduces the recently discovered vulnerabilities, looks at several similar problems that have occurred recently, and introduces what the security of WPE commerce can tell you more generally. Welcart was found to be vulnerable. Welcart is a little-known plug-in in the west, but it has a huge market share in Japan. The plug-in provides many useful functions for e-commerce store owners, including shopping cart function and a variety of payment options. Therefore, the official WP store has been ed more than 20000 times. Unfortunately, welcart is not as safe as it seems. In a blog post, wordfedence, a security research company, explained that welcart had theoretically discovered the vulnerability that hackers might invade the website. It should be emphasized that these threats have never been reported \
Oswap immediately classified this error as a serious error, and Coline Inc., the publisher of the plug-in, has moved the plug-in to patch it. It is reported that the website has been secure since the launch of well cart version 1.9.36 in October. But the story doesn’t end here. Coline applauded for moving too quickly to close this security vulnerability, but many websites were very vulnerable in a few weeks. In addition, as the holiday is coming and the randware of WordPress website surged to an alarming level last year, major plug-in vulnerabilities have emerged. This is a particularly bad time. The
Anatomy of defects considering these factors, we will carefully review the details of recently discovered defects and learn some lessons from them, including how to protect e-commerce websites from code insertion attacks. The attack operation methods introduced to non experts are as follows: The welpart plug-in actually uses a cookie set that is completely different from the cookies used by WP itself. Generally, these cookies are harmless. Used to track user sessions. More specifically, welcart uses the get\u cookie function to call a cookie named usces\u cookie. The plug-in uses usces\u serialize to decode the contents of cookies, allowing users to read cookies that have been passed to users. The
Things can get dangerous here. The researchers found that it is feasible to set the parameters of the usces_cookie. If serialization is cancelled, this parameter is injected into the PHP object. This problem must be selected before the dynamic application security test protocol or the application further deteriorates in order to continuously search for vulnerabilities (and it may be so), and the welcart cookie system does not execute correctly. In short, hackers can use this vulnerability to load malicious PHP objects on WP websites. Once the objects are loaded, they can be used as a means to insert malicious code on the same website. Oswap said: \
Can be passed to a non serial call, and the result may be an application wide injection of arbitrary PHP objects. \
Using this feature, hackers can request PHP tables for the site. PHP is the database system behind most WP websites, with sensitive data of customers and products. This allows an attacker to access the name, address, or credit card information of a single customer. The importance or impact of plug-in problems and the latest vulnerabilities may be exaggerated. Nevertheless, all e-commerce owners can use a broader point to be careful when selecting and installing plug-ins and keep them up to date. The
In fact, the WordPress plug-in has become a very \
The second reason for the vulnerability is that the plug-in is often not maintained by the author, or the site owner marks it as no longer in use, and then installs the plug-in for a long time. One of the most common cyber crimes is XSS attack, which accounts for more than half of all current attacks on plug-ins. XSS attack occurs when a malicious script is directly inserted into the old plug-in code, and a hacker can access the currently damaged word press site. Although the risks of running unused or no longer used plug-ins and themes are well known, many e-commerce store owners do not spend time performing periodic audits on their sites to remove plug-ins and themes that are no longer needed. The
Conclusion none of these can completely avoid plug-ins or topics. Ultimately, they are part of WP’s intrinsic value to many e-commerce store owners. For example, there are many word press themes that can enhance stores. Plugins such as welcart provide very useful tools and service sets for e-commerce retail enterprises. However, due to recently discovered vulnerabilities, it is important to tread carefully. Don’t assume that the plug-in is safe because you have ed it many times. Instead, confirm through a quick online search that this is not the source of recent hackers. Similarly, quarterly audits of installed plug-ins and themes are planned, and unused plug-ins and themes are deleted. The
Finally, don’t assume that plug-ins are the only way to improve your site. In addition, there are many feasible website cases that can increase revenue without relying on third-party plug-ins that may be vulnerable to hackers.
