As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we had what looks to be a hacker probing for usage of the plugin Excel Like Price Change for WooCommerce and WP E-commerce (Excel-Like Price Changer for WooCommerce and WP E-commerce) on our website.

As we started looking into what might be causing that we quickly found that the plugin is quite insecure. There are smaller issues like the plugin’s admin pages being limited to users with the “edit_pages” capability instead of “manage_woocommerce”, so Editor level users can access to WooCommerce related data and functionality they are not intended to. What we ran across first though is a much larger issues was that a lot of the plugin’s functionality is accessible those not even logged in to WordPress and that creates various vulnerabilities, we have detailed a couple of obvious ones below that hacker might in the process of exploiting and there look to be more. [Read more]