One of the things we seem to be unique in doing is monitoring for hackers probing for usage of WordPress plugins before exploiting vulnerabilities in them. That is despite other security companies claiming to be doing the same and them needing to do that to be able to prevent exploitation. Today through that we saw probing for the plugin PPOM for WooCommerce with requests for these files from it:

• /wp-content/plugins/woocommerce-product-addon/readme.txt
• /wp-content/plugins/woocommerce-product-addon/js/script.js
• /wp-content/plugins/woocommerce-product-addon/css/ppom-style.css

As is often the case with plugins that hackers are probing for, the plugin has been quite insecure. When we started looking over the plugin to see if there was a vulnerability that we should be warning customers of our service using the plugin of, we found that a fairly serious vulnerabilities had been partially fixed several weeks ago. But when we started looking to see if the same type of fix had been implemented elsewhere we found one part of the code is still completely vulnerable. It leads to an authenticated persistent cross-site scripting (XSS) vulnerability, which would allow an attacker with a low level WordPress account the ability to malicious JavaScript to be displayed on at least admin pages of the website. That is a type of vulnerability that has been popular with hackers recently. Since the plugin extends WooCommerce and WooCommerce by default allows the public access to WordPress accounts, which increases the ability to exploit this. [Read more]