Question 1

What exactly is the vulnerability?

Accepted Answer

What exactly is the vulnerability?

The vulnerability is an unrestricted file upload issue that exists in versions 7.3.11 and below of the Mollie Payments plugin for WooCommerce sites. It allows a user with only Shop Manager permissions to upload unexpected and potentially malicious files to the server without restriction.

Question 2

How serious is this vulnerability?

Accepted Answer

How serious is this vulnerability?

This arbitrary remote code execution vulnerability is quite serious, with a relatively high CVSS severity rating of 7.2 out of 10. If successfully exploited, attackers could fully compromise sites, steal data, install malware impacting site visitors, and more damaging attacks.

Question 3

Could my site be at risk even though I don't use this plugin?

Accepted Answer

Could my site be at risk even though I don't use this plugin?

Even if you don't have the Mollie Payments plugin installed, this serves as an important reminder of the criticality of keeping all plugins, themes, and WordPress itself updated. Threat actors are constantly discovering dangerous new exploits that put outdated websites at risk of takeover and data breaches regardless of plugins used.

Question 4

I have automatic background updates enabled already. Does that fully protect me?

Accepted Answer

I have automatic background updates enabled already. Does that fully protect me?

While extremely beneficial, automatic updates don't provide absolute protection. Occasionally vulnerabilities emerge that require manual intervention to fully patch. Plus, automatic updates may not restrict unnecessary user permissions that could enable exploits. So maintaining good security hygiene with layers of protection remains vital.

Question 5

What steps should I take if I use this plugin?

Accepted Answer

What steps should I take if I use this plugin?

If you use this plugin, immediately update manually to version 7.3.12 even if you have automatic updates enabled. Also check your user role permissions and logs for any signs of unauthorized access or file changes. As an extra precaution, consider temporarily switching payment gateways until you’ve verified no compromise occurred.

Question 6

Could outdated themes or WordPress core put me at risk too?

Accepted Answer

Could outdated themes or WordPress core put me at risk too?

Absolutely. Outdated software of all kinds, including WordPress core, themes and plugins dramatically elevate exploitation risks. Modern websites face constant threats, making ongoing security patching mission critical. Enabling automatic core, theme and plugin updates instantly secures sites as fixes emerge.

Question 7

Is this a flaw in WooCommerce's own code?

Accepted Answer

Is this a flaw in WooCommerce's own code?

No, this vulnerability is specific to the third-party Mollie Payments plugin interacting with the WooCommerce platform, not an issue within WooCommerce itself. However, given WooCommerce's popularity hackers frequently target related plugins looking for security gaps like this that may provide an attack vector if left unpatched.

Question 8

What could happen if hackers compromised my site via this plugin hole?

Accepted Answer

What could happen if hackers compromised my site via this plugin hole?

Potential impact could include complete site takeover, administrator password and backdoor access creation, customer payment data theft, injection of malware to infect site visitors, destruction of key databases and files, and directed attacks launching from your website against others.

Question 9

Who discovered this vulnerability? Should I trust their intentions?

Accepted Answer

Who discovered this vulnerability? Should I trust their intentions?

This arbitrary remote code execution bug was responsibly disclosed by researcher Rafie Muhammad in accordance with industry best practices. White hat hackers like Muhammad help strengthen software security overall by privately notifying vendors first so fixes can be developed prior to any malicious abuse.

Question 10

Beyond updating plugins, what else can I do to lock down website security?

Accepted Answer

Beyond updating plugins, what else can I do to lock down website security?

Consider steps like restricting unused user roles, enabling two-factor authentication for admin logins, installing a web application firewall to filter traffic, making regular malware scans part of your process, examining server logs routinely for abnormalities, executing penetration testing to validate controls and more. Ongoing security requires layers of protection beyond just software patching, as threats continue evolving. Reach out anytime if you need help or have concerns!

CVSS 7.2

WordPress Plugin Vulnerability Report – Mollie Payments for WooCommerce – Authenticated (Shop Manager+) Arbitrary File Upload – CVE-2023-6090

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy