WordPress Plugin Vulnerability Report – Mollie Payments for WooCommerce – Authenticated (Shop Manager+) Arbitrary File Upload – CVE-2023-6090
Plugin Name: Mollie Payments for WooCommerce
Key Information:
- Software Type: Plugin
- Software Slug: mollie-payments-for-woocommerce
- Software Status: Active
- Software Author: mollieintegration
- Software Downloads: 2,934,315
- Active Installs: 100,000
- Last Updated: November 27, 2023
- Patched Versions: 7.3.12
- Affected Versions: <= 7.3.11
Vulnerability Details:
- Name: Mollie Payments for WooCommerce <= 7.3.11 - Authenticated (Shop Manager+) Arbitrary File Upload
- Title: Authenticated (Shop Manager+) Arbitrary File Upload
- Type: Unrestricted Upload of File with Dangerous Type
- CVE: CVE-2023-6090
- CVSS Score: 7.2 (High)
- Publicly Published: November 27, 2023
- Researcher: Rafie Muhammad
- Description: The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in one of its functions in all versions up to, and including, 7.3.11. This makes it possible for authenticated attackers, with Shop Manager access to upload arbitrary files on the affected site's server which may make remote code execution possible.
Summary:
The Mollie Payments for WooCommerce for WordPress has a vulnerability in versions up to and including 7.3.11 that allows authenticated users with Shop Manager access to upload arbitrary files due to missing file validation. This vulnerability has been patched in version 7.3.12.
Detailed Overview:
Mollie Payments for WooCommerce, a popular plugin for accepting payments in WooCommerce stores, has a vulnerability that allows users with Shop Manager access or higher to upload arbitrary files to the server due to the lack of file type restrictions. This was discovered by researcher Rafie Muhammad and impacts all versions up to and including 7.3.11. By uploading unexpected file types like PHP scripts, attackers could potentially achieve remote code execution on vulnerable sites. This has been assigned CVE-2023-6090 and has a relatively high CVSS severity score of 7.2. While a patch (version 7.3.12) has been released, users should still take precautions like restricting Shop Manager access and considering alternate plugins until they are able to update.
Advice for Users:
- Immediate Action: Update to version 7.3.12 as soon as possible.
- Check for Signs of Vulnerability: Review server logs for unexpected files uploads from Shop Manager users.
- Alternate Plugins: Consider alternative payment plugins like Stripe or Braintree as a precaution.
- Stay Updated: Enable automatic updates for this and other plugins to receive security fixes quickly.
Conclusion:
The quick response by the Mollie Payments for WooCommerce developers to address this vulnerability is reassuring. However, users should still prioritize updating to version 7.3.12 or later as soon as possible to mitigate any potential exploitation, in addition to restricting Shop Manager access in the interim. Staying up-to-date with security patches remains essential for safely operating WordPress sites.
References:
Detailed Report:
Staying on top of website security is crucial in today's threat landscape. Unfortunately, a serious flaw was recently disclosed in the popular Mollie Payments plugin for WooCommerce that allows authenticated users to upload unexpected files to vulnerable servers. This could enable serious attacks, so updating is critical.
Mollie Payments for WooCommerce Mollie Payments is a widely-used plugin to accept payments in WooCommerce stores, with over 2.9 million downloads and 100,000+ active installs. Offering seamless integration with the Mollie payment gateway, it powers payments for thousands of small businesses.
Discovered by researcher Rafie Muhammad, this vulnerability impacts all versions up to and including 7.3.11. It allows users with only Shop Manager access to bypass restrictions and upload unexpected file types like malicious PHP scripts to the server.
If successfully exploited, this could enable serious cyberattacks via remote code execution. Attackers could gain complete control of sites, steal customer data, deliver malware to site visitors, and more. The vulnerability carries a CVSS severity score of 7.2 out of 10, reflecting significant risk.
Updating to Patch Version 7.3.12 patches this flaw by adding proper restrictions on file uploads. Automating plugin updates is wise, but users should manually update immediately.
In addition to upgrading, consider taking extra steps like:
- Reviewing server logs for signs of compromise
- Temporarily restricting Shop Manager permissions
- Switching to alternate payment gateways as an added precaution
This vulnerability underscores the importance of vigilant security practices for website owners without dedicated IT staff. Running outdated software significantly elevates risk of compromise. While staying updated on every patch isn't always feasible, enabling automatic background updates where possible, restricting unused permissions, reviewing logs, and installing security plugins goes a long way. Don't hesitate to enlist external support managing website security if needed either.
This situation shows that websites and installed plugins/themes require ongoing maintenance and care to avoid dangerous lapses in security from emerging exploits. For small business owners without ample technical resources, staying on top of everything can prove challenging. Seeking assistance securing your website against constantly-evolving threats in order to protect your business and customers is perfectly understandable.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.