Webmasters still using the deprecated WP Marketplace WordPress plugin should update to a new e-commerce utility as soon as possible, and remove the plugin from their sites in order to avoid having their servers compromised.
The reason for this warning is because of a security flaw that affects the plugin. The issue allows an attacker to upload arbitrary files on websites where this plugin is installed.
Depending on the attacker’s skills, the proper files and exploits, a third-party can potentially take over a site’s underlying server.
Attackers scanning for vulnerable websites
Security researchers from White Fir Design discovered this flaw, which is an arbitrary file upload vulnerability. The company says it discovered the issue after they’ve detected scans for the plugin’s CSS file on various websites.
“Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something,” a White Fir researcher said. “We have also seen some requests for the file in the third-party data we monitor as well.”
The company discovered the flaw on Friday, October 14, when they contacted the WordPress.org Plugin Directory team, who removed the plugin from their site.
WP Marketplace plugin abandoned 8 months ago
The plugin, developed by a developer that goes by Shaon, had been quite popular a few years back, being a simple solution for running an online store and was specialized in selling digital products. In the meantime, the developer created a newer plugin, for the same purpose, with more features, called WordPress Download Manager.
As such, he announced on WP Marketplace’s page that he stopped development on the plugin, which received the last update over eight months ago. According to WordPress.org, WP Marketplace still had between 400 and 500 active installs.
According to White Fir Design, Shaon’s latest plugin, WordPress Download Manager, suffers from an authenticated arbitrary file upload vulnerability as well. The company says the issues remains unfixed at the time of writing. The plugin is still available via the WordPress.org plugin repository.
Today, fellow WordPress security firm Sucuri said they’ve detected scans for the WP Marketplace plugin as well.
