Backdoor found in Webgility
by Sansec Forensics Team
Published in Threat Research − October 30, 2018
Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345.
Update Nov 30th: Webgility has discovered another security issue and urges all customers to upgrade to version 346.
The VC-funded Webgility software contains a backdoor for the purpose of remote upgrades. This mechanism allows anyone to upload and execute PHP code. The Webgility engineering team has denied the existence of the backdoor, even when confronted with a functional proof of concept and a demonstration video.
Because of the severity, Sansec recommends Webgility customers to restrict access to trusted IPs or temporarily remove the software until there is a fix.
The backdoor was discovered by Eric Seastrand as part of a PCI code audit. He reported the security flaw on Oct 16th to Webgility, together with an extensive explanation, sample code and a demo video. Then, he got this odd response:
Our engineers further reviewed your E-mail and we would like to inform you that, this file can't execute automatically or through a Web Browser [...] we request you kindly do not test or trial anything in Webgility module folder
Eric answered patiently and explained once again how the unauthorized update mechanism poses a serious security threat. Webgility thanked him for the suggestion and closed the ticket without further ado.
Additional attempts to explain the security implications were also unsuccessful.
Sansec has validated Eric's proof of concept exploit code on a live store. Given the ongoing efforts by attackers to find vulnerabilities in third-party ecommerce software, this vulnerability poses a significant risk to Webgility customers and could be exploited for card skimming attacks.
Until Webgility releases a patch, customers should consider restricting access or temporarily removing the software. The vulnerable file can be found here.
Thanks to Eric and the fine people at Hypernode for additional research.
Read more
- Critical backdoor found in MGT Varnish extension
- SessionReaper attacks have started, 3 in 5 stores still vulnerable
- SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)
- Adobe patches critical Magento admin takeover via menu injection
- Backdoor found in popular ecommerce components
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
