IT security company High-Tech Bridge has identified a remote code executivion vulnerability in the WordPress shopping cart plugin eShop, which can influence the execution of code and open back doors into 10,000+ live WordPress websites for hackers to exploit.
“The vulnerability exists due to insufficient validation of user-supplied input in “eshopcart” HTTP cookie,” according to the advisory from High-Tech Bridge. “In this case we can only overwrite string variables within the scope of ‘eshop_checkout()’ function in ‘/wp-content/plugins/eshop/checkout.php’ file.”
According to Itsik Mantin, director security research at Imperva, the reason we see remote code execution vulnerabilities so often in frameworks like WordPress is because they “have a dynamic ecosystem of plugins developed by a large community of developers, with various levels of knowledge in the variety of threats their plugin module can inadvertently facilitate.”
In terms of what the user can do, Mantin said that “trying to control the “security quality” of third-party software being integrated into open frameworks, or even commercial web applications, is probably a lost battle” and that the best way to protect a web application is externally, “employing a WAF that can cover for code security pitfalls.”