Logo Logo
  • Home
  • Modshield SB
  • services
    • Application Security Testing
    • Infrastructure Security Testing
    • IoT Security Testing
    • Testing for Compliance
    • Red Team Exercise
    • Performance Testing
  • Training
    • Cybersecurity Awareness Program
    • Secure Development – Web
    • Secure Development – Mobile
  • Resource
    • Blog
    • CyberNews
  • About
    • Partners
    • Contact

Vulnerability in widely-used WordPress plugin could allow full site takeover

  • Home
  • Blog Details
December 3 2020
  • Blog


WooCommerce has made ecommerce website building and developing easy with multiple plugins automating the tasks without any coding knowledge. TI WooCommerce Wishlist is one such plugin which enables the customers to add any product to their wishlist and buy them later. A flaw in this plugin enables the user (customer) to attain the admin status.
TI WooCommerce Wishlist has more than 70,000 active installations and a critical vulnerability like this could grant the attackers full administrative access to the website, including the risk of modification, deletion or even take over the entire site’s database.
The bug in the TI WooCommerce Wishlist Plugin has been patched in the latest version (1.21.12). More than 70,000 active users are rushed to update the existing version to the latest to fix the bug. However, half the crowd is yet to update and all the client data are open for an attack.
WooCommerce being the widely used tool enable a hacker to take control of the targeted site, due to lack of compatibility check and other flaws.

The plugin has an import function in the ti-woocommerce-wishlist/includes/export.class.php script, loaded with the WordPress admin_action_ hook, that lacks a capability check and security nonce, allowing an authenticated user to modify the content of the WordPress options table in the database

JEROME BRUANDET, NinTechNet Blog

How do the hackers gain access? Simple, the hacker enables the registration by setting the users_can_register option and then creates an admin account by modifying the default_role to administration.
Though WooCommerce blocks non-admin users from entering the WP admin dashboard by default, the hacker can bypass the restriction rule easy and gain admin access.
So, how to prevent such attacks despite RCE flaws in the “plugins”?
A Web application Firewall Modshield SB secures your website from any such RCE flaw. Strongbox IT has designed the WAF (Web Application Firewall) in such a way to recognize these RCE flaws and secure your website from threats and attacks.

Why Modshield SB?

Modshield SB has unique features from any other WAF at just $0.58/hr which sums to $419/month approximately. These features include but not limited to:

  • Unlimited Applications support,
  • OWASP top 10 Coverage,
  • Built-in Load Balancer,
  • Application DLP,
  • SSL Support,
  • IP Whitelist/Blacklist,
  • Country Whitelist/Blacklist,
  • IP Reputation based Filters,
  • Bot/Crawler Protections,
  • TOR IPs/Scanners protection,
  • Unlimited Core Rule Sets,
  • Log Forwarding/Archival,
  • Lifetime Free Support, and
  • VM for Physical/Other Cloud Infrastructure.

Strongbox also provides different options to get Modshield SB – AWS Marketplace, Azure Marketplace, Google Cloud Marketplace, and also as a Physical VM ware.
The best part is, you can try Modshield SB free for 14 days* from any of these platforms.
References: https://portswigger.net/daily-swig/vulnerability-in-wordpress-plugin-ti-woocommerce-wishlist-could-allow-full-site-takeover

Critical zero-day vulnerability fixed in WordPress TI WooCommerce Wishlist plugin.

Previous Post Next Post

Leave a Comment

Recent Posts

  • What is compliance and why do you need it?
  • OWASP WAF – Web Application Firewall
  • Top Cyber News April Week 3
  • Top Cyber News April Week 2
  • Data security in cloud computing

Recent Comments

  1. Computer Network Assignment Help on What is White Box Testing?
  2. Vishnu on IEC 62443 – Cybersecurity for Industrial Automation and Control Systems

Archives

  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • June 2020

Categories

  • Blog
  • CyberNews
  • WAF
© Copyright 2020. Anada WordPres Theme By WordPressRiver
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}