(Ping! Zine Web Hosting Magazine) – Future Hosting, a specialized VPS hosting and dedicated server hosting provider, has warned users of the popular WordPress WooCommerce eCommerce plugin to update as soon as possible. A vulnerability in the plugin may allow attackers to access files that contain sensitive information that could put sites at risk of data loss or malware infection.
The security weakness, which was discovered and reported by researchers at security company Sucuri on June 10, 2015, leverages an object injection vulnerability present in WooCommerce. Only sites with WooCommerce’s PayPal Identity Token option activated are vulnerable.
Owners of vulnerable sites should update to the most recent version of the WooCommerce plugin, which includes a patch that fixes the problem.
Sucuri published a detailed proof of concept that shows how the vulnerability can be used to access files that contain sensitive information. The Sucuri POC leveraged the object injection vulnerability along with other known vulnerabilities to gain access to a site’s wp-config.php file, which contains the site’s database credentials and secret keys.
“We host a large number of WordPress users, many of whom use the WooCommerce plugin for eCommerce. Most have already applied the patch, but we’re aware that there are still a large number of vulnerable sites on the web,” said Maulesh Patel, VP of Operations of Future Hosting, “It’s important that vulnerabilities of this nature are given the widest possible exposure, so that site owners can make sure their users are not at risk.”
Vulnerabilities are regularly discovered in content management systems and their plugins. The recent WooCommerce vulnerability is an example of an effective application of security best practices. The vulnerability was disclosed and patched quickly, but without wide exposure, it is likely many sites will remain vulnerable.
About Future Hosting, LLC
Founded in 2001, Future Hosting is a privately held leading Internet solutions provider specializing in managed hosting, including Dedicated Servers, Virtual Private Servers, and Hybrid Virtual Private Servers. The company has built a strong reputation for its high-quality service, innovative pricing models, and 3-hour Service Level Agreement. Future Hosting is based in Southfield, Michigan. For more information, visit http://www.futurehosting.com