Managing WordPress and WooCommerce Threats With Attack Surface Intelligence
Reading time: 14 minutes
With its theme ability, websites powered by WordPress can be made to look unique—and often can’t be identified as WordPress-powered at first glance. Combined with the ability to use various plugins to extend its usability, it’s become common for WordPress site owners to use it not only for blogging but for other use cases as well, such as eCommerce.
The widespread popularity of eCommerce is highly evident, with around 20% of WordPress sites using the WooCommerce plugin. However, given its popularity, it’s also widely targeted, as shown in data from 2020 Recorded Future which found WooCommerce to be the third most-targeted platform for stealing payment data, behind only Magento and OpenCart.
With the added advantages of being free to use and its ability to self-host, WordPress has also become a popular go-to solution for a number of complex use cases such as eCommerce and discussion forums. Unfortunately, that very flexibility with plugins and themes has made managing one’s attack surface on WordPress an ever-increasing challenge.
- Recent risks and threats on WordPress
- What about WooCommerce?
- Outdated software—the core issue?
- Preventing WordPress-based attacks with Attack Surface Intelligence
- Summary
Recent risks and threats on WordPress
As with any web application hosted on the public internet, WordPress too is susceptible to a large variety of risks and threats, including age-old attack vectors such as DDoS (distributed denial-of-service attacks) and brute force attacks which exhaust system resources. In the recent past, for example, there have been automated attacks towards WordPress XMP-RPC endpoint and wp-admin login forms to disrupt website performance.
One can also inherit specific risks and threats via the unavoidable usage of plugins and themes. While the WordPress core is maintained by a dedicated team of developers, plugins and themes are usually maintained by their developers, and while WordPress does verify those which are available from its plugin/theme store, their number makes it quite challenging to ensure complete safety.
Furthermore, the ability to purchase and use themes and plugins from 3rd-party stores and developers brings with it a risk of using code from developers who may not go through a verification process, or even any safety audit process, for the themes or plugins they sell. In this way, vulnerabilities can be easily brought into your WordPress installation.
Recent vulnerabilities include ones from WordPress misconfigurations such as pingback attacks, where pingbacks are used to track inbound links and references to pages within WordPress. This pingback feature can be exploited via the comments section, which can then expose your WordPress host IP address even if it was hidden behind a web application firewall (WAF) like Cloudflare, which in turn can lead to attackers bypassing the WAF and attacking your website directly via its IP address. Furthermore, this pingback feature can also be used to perform DoS (denial-of-service) attacks by generating numerous pingback requests in a short time.
Other recent vulnerabilities in WordPress plugins have led to more advanced compromises as well, with attackers installing cryptocurrency miners which can not only eat up server resources, slowing down your website, but can also cause issues such as higher power bills (due to more energy consumption) and the wearing down of physical parts such as CPU fans sooner than expected (as they would be running at 100% 24/7 due to the cryptocurrency miner).
Given that plugins have near-unrestricted access within WordPress, allowing access to everything that WordPress can access itself, plugins such as BackupBuddy have suffered from critical security vulnerabilities that have allowed attackers to access and modify any file accessible by WordPress within the server itself. Because the wp-config.php file is readable and accessible by WordPress, attackers can use this arrangement to gain access to your database, along with other credentials stored within that file.
What about WooCommerce?
WooCommerce has enabled WordPress site operators to expand their revenue streams by allowing them to sell directly from within their existing blogs/websites, with the same familiarity and comfort of using WordPress.
But with eCommerce websites being popular targets for attackers, using WooCommerce brings in a whole other scope of attacks. These are far more stealthy and targeted towards stealing payment information, by injecting malicious code into payment gateway plugins and other methods such as javascript code which silently reads payment input and relays it to attackers.
For example, recent vulnerabilities in the WooCommerce plugin (CVE-2022-2099) allowed attackers to inject unsanitized HTML code into payment gateways, which could allow attackers to inject Javascript code to steal payment information into critical gateways such as credit card information. Similarly, there was a critical SQL injection vulnerability detected back in 2021 within WooCommerce, which affected nearly all versions of WooCommerce to date.
Popular plugins to extend WooCommerce usability—such as Email Verification for WooCommerce (CWE-287)—have also seen security issues in the recent past, allowing for any user to log in as the administrator user. Similarly, plugins to create product layouts like Product Table for WooCommerce (CVE-2022-1020) have seen security issues allowing attackers to execute functions without authentication.
Vulnerabilities come in all shapes and sizes. Apart from injection-based attacks, Cross Site Scripting attacks have been seen (CVE-2021-24940) in the recent past, when using something as simple as a Persian WooCommerce plugin within websites. Improper input sanitization has affected common plugins like woocommerce-exporter too, leading to cross site scripting vulnerabilities (CVE-2022-0149).
While using WooCommerce itself does not affect WordPress security, it does expand the various types of attacks that your website may now receive. Being protected and prepared against certain types of attacks in the past can’t prevent you from experiencing a wider range of attacks targeted towards your new eCommerce store.
Outdated software—the core issue?
While the WordPress core itself has seen vulnerabilities of late, the attack surface and attack vectors to exploit these vulnerabilities are frequently made larger and more easily accessible with the use of out-of-date plugins.
Most popular plugins have updates released for them promptly, with new features and security fixes, at times just within a few hours of a vulnerability being reported. Still, many WordPress site operators do not install these updates for fear of breaking existing functionality or simply not seeing any reason to update.
Take for example the popular plugin Fusion Page Builder, which is used in various themes to build custom pages within your WordPress website with the familiar Bootstrap UI. Versions before 3.6.2 were susceptible to attacks which could initiate arbitrary HTTP requests (CVE-2022-1386) as it did not validate form input, which could then be used to interact with other servers within the WordPress server’s private network as well.
Plugins that give WordPress some basic extended capabilities, such as a word count column within the admin area, are also susceptible to vulnerabilities. For example, the Admin Word Count Column WordPress plugin previously did not validate readfile path parameters (CVE-2022-1390), hence it could be used by attackers to read any file accessible by your WordPress installation.
Advanced plugins such as Cab Fare Calculator that allows one to run an Uber- or Lyft-like service, which allows your end users to book cabs from your WordPress installation, have experienced vulnerabilities which originated from the lack of validation of the controller parameters (CVE-2022-1391), which could lead to local files being included and read from your WordPress installation.
WordPress itself has taken steps to address this issue with automated updates to the core being introduced in WordPress 3.7, which was released back in October 2013. However, site owners and maintainers frequently disable this feature, due to fears of site breakage and plugin incompatibility. Consequently, this is often noted as the most common source of WordPress compromises.
As seen in the chart above, a large percentage of WordPress websites are still powered by version 5 with possibly out-of-date plugins. WordPress 6.0.2 is the latest version available, at the time of this writing.
Preventing WordPress-based attacks with Attack Surface Intelligence
Staying ahead of attackers by using automated means to scan for vulnerable plugins and WordPress installations is an important step toward making sure your WordPress setup remains safe and secure. As often seen with eCommerce websites, attackers target them with more sophisticated and automated attacks, and running WordPress at the backend can allow attackers to get a better idea of what to target given that it’s such a well-known content management system.
Steps to increasing the security of your WordPress installation begin with disabling file editing in the WordPress admin area as well. By default, WordPress allows you to edit any file right from the admin area, and attackers can exploit this to inject malicious code into files. Disabling file editing gives you a layer of added security in case your admin login gets compromised, and this can be accomplished by adding a single line into wp-config.php,
_define( 'DISALLOW_FILE_EDIT', true );_
Another commonly attacked endpoint, XMP-RPC, can be easily secured by restricting or disabling access to the endpoint with a plugin for which you can whitelist certain IPs for access if needed, or you can simply block all access to ensure that your site does not fall victim to brute force attacks aimed at exhausting system resources by making automated calls to the xmp-rpc.php endpoint.
Beyond the above changes, one can also take certain actions such as changing the default admin account. Since every default admin account username in WordPress is admin, this makes the username easy to guess for attackers, and the wp-admin path to the admin area becomes easy to guess as well. While it’s considered basic security through obscurity, there exist plugins to change this to a custom name, making it difficult for attackers to guess.
Last but not least, ensuring that you keep your WordPress and any installed themes and plugins always updated helps improve the security outlook of your WordPress installation.
With CVEs being published around the clock when vulnerabilities are discovered, it remains a challenge to stay ahead of attackers who often automate attacks based on CVEs. Automated updates are seen as a solution, but in certain situations they can fail when plugin updates aren’t available. Fortunately, other methods of mitigation such as using .htaccess or firewall deny’s can help secure vulnerable endpoints until a plugin update is available.
In any of these scenarios, using platforms such as our own Attack Surface Intelligence ensures that your WordPress site is automatically scanned and checked against the most popular misconfigurations and vulnerabilities in existence. Attack Surface Intelligence is our way of keeping you aware of potential attacks and mitigations that can target not only the WordPress core but also the individual plugins that drive your website.
Identifying critical WordPress risks
As we previously covered, the main issues arise from multiple fronts, from brute force attacks to SQL injections and more. But what’s true over the years is that most of the cybersecurity issues associated with WordPress, and with plugins like WooCommerce, is the lack of updates.
Supervising all your WordPress installations is critical to keeping your organization secure. Attack Surface Intelligence presents a solid and proven solution for detecting critical WordPress risks from misconfigurations and vulnerabilities.
As shown in the previous screenshot, Attack Surface Intelligence can detect WordPress risks and generate a report for you, providing a large part of the puzzle.** **Preventing risks from WordPress relies not only on updates but also on the exposure of your WordPress installations.
To illustrate, here’s a summary of some of the critical CVEs we detect for WordPress. This is by no means an exhaustive list, but an example of just how easy it is for Attack Surface Intelligence to find critical vulnerabilities:
| CVE Name | Description | Severity |
| WordPress Fusion Builder < 3.6.2 - Unauthenticated SSRF (CVE-2022-1386) | The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures. | 9.8 |
| WordPress Admin Word Count Column 2.2 - Local File Inclusion (CVE-2022-1390) | The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique. | 9.8 |
| WordPress Cab fare calculator < 1.0.4 - Local File Inclusion (CVE-2022-1391) | The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. | 9.8 |
| WordPress Plugin Imagements 1.2.5 - Unauthenticated Arbitrary File Upload (CVE-2021-24236) | The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE. | 9.8 |
| WordPress Kaswara Modern VC Addons - File Upload RCE (CVE-2021-24284) | The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. | 9.8 |
| Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call (CVE-2022-1020) | WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument. | 9.8 |
| WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Reflected Cross-Site Scripting (CVE-2022-0149) | The plugin was affected by a reflected cross-site scripting vulnerability in the woo_ce admin page. | 6.1 |
| The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS (CVE-2021-24991) | The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard. | 4.8 |
| PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS (CVE-2021-24300) | The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue. | 6.1 |
Detecting exposed WordPress admin panels
How exposed are your WordPress admin panels? Keeping these URLs open to the public reveals the CMS software you are using and opens the door for all kinds of attacks (mostly brute force attacks).
Identifying and keeping an eye on all their WordPress-powered installations can be a manual process for big organizations with an ever-changing attack surface full of old, current, and new digital assets all over the place.
Attack Surface Intelligence is a top solution for identifying CVEs and misconfigurations as well as detecting which WordPress panels are exposed to the public. From its Inventory page, you’ll be able to identify the exposed panels quickly and easily:
This allows you to keep track of all your installations in a matter of seconds, giving you the right intelligence data for securing and locking all exposed panels.
What else can you do to avoid exposing your WordPress admin panels to the public? Some measures could be limited by an allow/deny rule by IP address, restricting access by ISP, country, or region, and manipulating your WP installation to change the default admin path.
Summary
As WordPress is the most commonly used CMS (content management system) on the public internet, it’s also unfortunately the most targeted CMS software around, given its widespread use scenarios from basic blogs to full eCommerce websites.
As seen with most website attack patterns, websites holding or processing financial information are often targeted, leading attackers to valuable information such as credit cards and other lucrative user data.
With CVEs and other security advisories being frequently and publicly published not only for WordPress but also its various plugins, staying up to date with such knowledge is challenging for any site operator. And security scanning and vulnerability reporting are only effective with this level of preparedness.
Using the Attack Surface Intelligence platform ensures that your website's security scanning is completely automated against the latest CVEs as well—keeping you ahead of attackers, always.
