With a wide variety of extensions, Magento CMS can cater to every need of an online store. However, at times these extensions can become a potential security liability. If the developers of these extensions do not pay heed to secure development practices, it could leave them vulnerable. While the core Magento may be secure, these vulnerable extensions could open the doors to hackers. The consequences of this could be a hacked Magento store. Which in turn causes loss of revenue, loss of user trust, store blacklisted by search engines and many more!

In this article, we will cover some popular Magento extensions that have been found vulnerable and could lead to a hacked Magento store. If you have had these vulnerable extensions on your store at any point in time, we suggest you go through this Security Guide For Magento 2 and bolt all the security gaps that may have been caused by those extensions.

1. Amasty Feed

Amasty feed is a popular plugin used to generate shopping feeds for popular websites such as Google, Shopping, Bing, Amazon, etc. A shopping feed is a specially designed file that contains information regarding the products of your Magento store. These files are then used to increase search rankings and traffic on your Magento store.

Amasty feed versions 2.4.1+, 3.2.3+, <3.3.4 in Magento 1 were found vulnerable to a local file disclosure vulnerability. This means that unauthorized users can access the sensitive local files like /etc/passwd. All that the attackers require knowing is the location of the file, i.e., /app/etc/local.xml. This can also be easily guessed by appending /../ before the /app/etc/local.xml. The characters /../ will make it move up one directory. So, keep appending it and moving up till you reach the root. That is when /etc/passwd will spill out all the information.  This vulnerability was patched in version 3.3.4. 

So if you use this extension, ensure that you have a version higher than 3.3.4. You can check if your Magento store is vulnerable by visiting this link. 

2. AheadWorks Blog

At times, the Magento store users may feel the need to communicate with their users in a better manner. A blog is certainly helpful in this direction. The Magento extension AW Blog provides users with the flexibility of running a blog. It offers rich features like WYSIWYG editor, comments section, Captcha for comments and more.

AW Blog extension versions 2.4.5 and earlier were found vulnerable to remote code execution. The method of the attack is called PHP Object Injection and is common in the Magento store wherein the attackers abuse the unserialize() function of PHP. Doing this allows them to manipulate the database or JavaScript files of the Magento store. Another extension of AheadWorks called “AW Advanced Reports” was found vulnerable to the same PHP Object Injection attack. These vulnerabilities were actively exploited in the wild by Magecart groups. 

This vulnerability was fixed in AW Blog version 2.4.6 and therefore, make sure that your version is this or above it.

3. CardGate Payments

CardGate provides a payment module for Magento users. This payment extension caters to a wide variety of companies including MasterCard, Visa, V-Pay, Maestro and Visa Electron. It follows security standards like PCI-DSS, GDPR and PSD2 and even provides an option to manually process the order.

CardGate extension version 2.0.28 and those earlier were found vulnerable to an XSS bug. On the other hand, CardGate extension version 2.0.30 and those earlier were vulnerable to a bug dubbed as CVE-2020-8818 where the attacker could change the sensitive settings of the plugin like Merchant ID or secret key. What was more alarming was that it could be done without any authentication! 

To accomplish this, the attacker would manually send an IPN (Instant Payment Notification) callback request. The IPN callback was sent with a valid signature but without real payment which, if implemented successfully, allowed the attacker to change the settings. 

This has been fixed in CardGate extension version 2.0.31 which means that you should update the same to the latest version.

4. Webgility

This is a Magento extension that comes handy while managing e-commerce data like sales, expenses, fees and many more across multiple channels. Webgility extension integrates the data from multiple channels into one app. Moreover, it can automatically post your data from Magento to QuickBooks or Xero. Also, the dashboard can act as a central hub for viewing data from multiple channels and thereafter, taking informed decisions.

Webgility versions earlier than 1.0.3 were vulnerable to a remote code execution bug. This vulnerability allowed attackers to take complete control over the Magento store and even run their own code. However, according to Webgility, only the users that used Webgility to sync data from Magento to Quickbooks were affected. 

This plugin comes into this list because some articles claimed that this extension contained a backdoor to install remote upgrades by the developers themselves. The articles also claimed that the developers failed to acknowledge the flaw when confronted. 

However, this vulnerability has been patched in version 1.0.3 which can be checked in its release notes.

5. Multiple Wishlists

By default, Magento allows only one wishlist per customer. However, by using the 

Multiple Wishlists extension, users can have multiple wishlists. Additionally, it provides customers the ease to operate while managing those lists. This extension can help in reducing the abandoned cart rate.

The extension was found vulnerable to an XSS bug. This vulnerability occurs when the user input is not sanitized. In this case, the vulnerable component was:

view/frontend/templates/popup.phtml

This contained a vulnerable code on line 33 and 35 that  looked like this:

<input type="hidden" value="<?php echo $block->getRequest()->getParam('product_id'); ?>" id="productId"

<input type="hidden" value="<?php echo $block->getRequest()->getParam('itemid'); ?>" id="itemid" name="itemid"/>

Here, the parameters product_id and itemid are not being escaped. Therefore, even though the fields are hidden, an attacker can inject malicious javascript in these fields and conduct an XSS attack. 

These bugs have been fixed in Multiple Wishlists extension version 1.2.0. Therefore, you should be sure that you are up-to-date if you are using it.

Conclusion

This article barely scratches the surface as there are thousands of extensions on the Magento store. For future references, you can refer to this Github repo for a list of vulnerable Magento extensions. You can also audit your current extension list and double-check that with the vulnerable extensions list. 

If you do have any of these extensions installed, you may want to see if it's running on a safe version. Overall, updating your extensions, installing security patches, getting a website firewall and indulging in secure maintenance of your store is always a security recommendation.