Researchers have found three critical vulnerabilities in the Responsive Menu WordPress plugin which exposed over 100,000 sites to takeover attacks. The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to forge requests that would modify the settings of the plugin and again upload arbitrary files that could lead to remote code execution.
<p>The Responsive Menu WordPress plugin is just one of many third-party plugins that are a lucrative target for hackers determined to compromise e-commerce sites. They do this using XSS vulnerabilities to gain privileged access to a website and plant malicious Shadow Code that can steal user data, spread malware, or hijack users to nefarious sites. Such techniques have been used to take over and launch Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers. Website owners need to thoroughly review third-party plugins and ensure they upgrade to the latest versions to minimize the odds of such attacks. Consumers must also continue to safeguard their personal data and monitor their credit history for signs of fraud.</p>