Critical vulnerabilities in WordPress plugins (Feb. 29, 2020)

[German]Vulnerabilities in WordPress-Plugins like Flexible Checkout Fields for WooCommerce puts  hundreds of thousands of WordPress pages at risk to be hijacked. Here is some information that I received during the days around this topic.


Campaign to hijack WordPress pages

WordFence Security researchers warns of an ongoing campaign where WordPress installations are hijacked by multiple 0-day vulnerabilities and taken over by attackers. This takeover is made possible by the outdated plugin Flexible Checkout Fields for WooCommerce, which had the vulnerabilities. The plugin is in use on more than 20,000 sites.

The plugin Flexible Checkout Fields for WooCommerce received a critical update to version 2.3.4 a few days ago to patch a zero-day vulnerability that allowed attackers to change the settings of the plugin.

When the WordFence Threat Intelligence team investigated the scope of an attack campaign on this plugin, they discovered three other zero-day vulnerabilities in popular WordPress plugins that are being exploited. The plugins are affected:

Details about this campaign and the vulnerabilities are covered by the WordFence Threat Intelligence team in this blog post. Bleeping Computer has this blog post about that topic.

Vulnerabilities in WordPress Pricing Table-Plugin

Already on February 25, 2020 I received another security advice from WordFence. The WordFence Threat Intelligence Team discovered several vulnerabilities in the WordPress Pricing Table-Plugin. The WordPress-Plugin from Supsystic is installed on over 40.000 websites.


These vulnerabilities allowed an unauthenticated user to perform multiple AJAX actions due to an insecure permissions weakness. The attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access the pricing table data, and forge requests on behalf of a site administrator due to a Cross-Site Request Forgery (CSRF) vulnerability.

There is an update for the plugin for version 1.8.2, which should be installed immediately, if not already done. Details about this security issue can be found in the Wordfence blog.

Further campaigns

Already last Monday the WordFence team reported in this blog post about further attacks, e.g. about the vulnerable ThemeGrill Demo Importer. I had taken up the topic in the German blog post WordPress ThemeGrill-Plugin mit gravierender Schwachstelle. And there were attacks on websites with outdated Profile Builder plugin. In my German blog there was the postSchwachstellen in WordPress-Plugins: GDPR Cookie Consent und Profile Builder.

Addendum: Catalin Cimpanu has published an article that covers even more attack vectory. A must read.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *