WordPress Plugin ‘WP Marketplace’ Exploited By Hackers to Upload a Backdoor!

WP Marketplace is a WordPress plugin, which has been used by more than 500 websites for e-commerce solutions. It is an old plugin and it has not been maintained by its developers. Recently, a zero-day flaw in WP Marketplace plugin has been exploited by hackers to upload a backdoor. It is a common scenario if you are not keeping your plugin up to date with latest security trends. All that websites which are using “WP Marketplace” plugin, are under threat.

Who detected it?

A few days ago, Security researchers of Colorado-based security firm “White Fir Design” were working on some WordPress websites. During the investigation, they noticed some third party requests were interacting with a file of WP Marketplace. These requests had been sent by the hackers to find Arbitrary File Upload Vulnerabilities in WP Marketplace plugin. Moreover, security firm ‘Sucuri’ has also detected malicious attack attempts on WP Marketplace plugin. According to Sucuri, a backdoor has been uploaded by hackers in WP Marketplace after exploiting it.

Why Hackers are Exploiting Plugins?

Obviously for profit. It is difficult to find vulnerabilities in every website. Therefore, hackers are exploiting plugins because it has been used by millions of websites at the same time. If hackers are targeting a large number of less popular applications, even then they are in profit. If a plugin is vulnerable, it means all that websites are vulnerable which are using it. WP Marketplace plugin is not that much popular, but a backdoor has been uploaded by hackers. This backdoor will help them to find other hidden vulnerabilities in that websites. Hackers can perform ransom attacks to hijack web servers.

"A small mistake may lead all the business to zero from the top. Therefore, it is necessary for plugin developers to use their best development practices even in the case of small plugins."

Take of WP Marketplace Team on It

According to White Fir Design, WP Marketplace team is offering many other plugins. One of its examples is “WordPress Download Manager”. WP Marketplace has not been updated by its developers from last eight months. Users of WP Marketplace are less. This plugin has been removed by the team from WordPress Plugin Directory.

On the other hand, WordPress Download Manager has tens of thousands active users. It is also vulnerable to a file upload vulnerability. This vulnerability had been discovered by security researchers of White Fir Design, four months ago. The shocking fact is, “This vulnerability is still unpatched”. Nowadays, hackers are using fake domains names to set up fake e-commerce web pages. They are doing this to steal payment card details of online shoppers. It is necessary for both developers and users to keep themselves up-to-date with latest security techniques.

Also Read: