200+ Active Installs Is Enough For Someone To Try Exploit a Possible Security Issue
When looking at hacking attempts against websites one of the important things to understand is that only a minuscule amount of those attempts have any chance of succeeding. One of the reason for that is that hackers are rather indiscriminate in their hacking attempts so you end with a lot of hacking attempts for software that isn’t used on the website. Even knowing that, it still sometimes surprising to see how obscure of an issue hackers will try to exploit. Take for instance something we recently saw on one of our website, we have several requests for a files from the WordPress plugin WP STORE:
/wp-content/plugins/wpstore/includes/functions/payment/Cielo/logs/log.log
/wp-content/plugins/wpstore/includes/functions/payment/cielo/logs/xml.log
/wp-content/plugins/wpstore/includes/functions/payment/Cielo/logs/xml.log
/loja/wp-content/plugins/wpstore/includes/functions/payment/Cielo/logs/xml.log
/home/wp-content/plugins/wpstore/includes/functions/payment/Cielo/logs/log.log
/home/wp-content/plugins/wpstore/includes/functions/payment/Cielo/logs/xml.log
According to the stats on wordpress.org this plugin has 200+ active installs:
The plugin is all in Portuguese so it is hard for us to tell exactly what is intended to be in those files being requested, but it looks to be log files for one payment module in the plugin. So only a subset of those 200+ active installs would possibly have anything of value in those locations.
We notified the developer of the requests and the possibility that those files might not be properly protected but we haven’t heard anything back yet.