WordPress sites under attack via security flaw in unmaintained plugin

Webmasters still using the deprecated WP Marketplace WordPress plugin should update to a new e-commerce utility as soon as possible, and remove the plugin from their sites in order to avoid having their servers compromised.

The reason for this warning is a security flaw that affects the plugin. The issue allows an attacker to upload arbitrary files on websites where this plugin is installed.

Depending on the attacker's skills, the proper files and exploits, a third-party can potentially take over a site's underlying server. Security researchers from White Fir Design discovered this flaw, which is an arbitrary file upload vulnerability. The company says it discovered the issue after they detected scans for the plugin's CSS file on various websites. "Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something," a White Fir researcher said.

"We have also seen some requests for the file in the third-party data we monitor as well." The company discovered the flaw on Friday, October 14, when they contacted the WordPress.org Plugin Directory team, who removed the plugin from their site.

"WP Marketplace plugin abandoned 8 months ago"

The plugin, created by a developer that goes by the name Shaon, was quite popular a few years back, being a simple solution for running an online store, and was specialized in selling digital products. In the meantime, the developer created a newer plugin, for the same purpose, with more features, called WordPress Download Manager.

As such, he announced on WP Marketplace's page that he stopped development on the plugin, which received the last update over eight months ago. According to WordPress.org, WP Marketplace still had between 400 and 500 active installs.

According to White Fir Design, Shaon's latest plugin, WordPress Download Manager, suffers from an authenticated arbitrary file upload vulnerability as well. The company says the issue remains unfixed at the time of writing. The plugin is still available via the WordPress.org plugin repository. Today, fellow WordPress security firm Sucuri have said they detected scans for the WP Marketplace plugin as well.