As WordPress gained popularity over its CMS competitors like Joomla and Drupal, it grew to a level where plugin developers jumped into the bandwagon effect. Plugins are a double-edged sword; it extends WordPress’ capabilities beyond the default functions. But it comes with risks which if not checked can cause trouble for the website. Woocommerce Abandoned Cart Lite, which was downloaded 20,000 times by WordPress admins worldwide has been detected of harboring a nasty cross-site scripting vulnerability (XSS).
Woocommerce Abandoned Cart Lite is a WordPress plugin provides webadmin the automated capability of finding-out the details of all abandoned shopping carts for their website. The plugins usefulness is to provide admins the reports of what products are frequently sold by the site they managed.
When a vulnerable version of the plugin is installed, the attacker can insert the malicious code through the shopping cart’s field itself. A script containing the instructions will then download backdoor programs using a specially crafted bit.ly link created by the attackers. A new admin account is created in the system by the first backdoor, its default username and password are hard encoded in the script. The second backdoor script will then scan the WordPress system looking for any disabled plugin, it will then overwrite the disabled plugin with its own code, hence duplicating itself in the system to serve as a second way to re-infect the system once the backdoors were discovered.
“The Bit.ly stats can be misleading because one infected site can source that link several times if the XSS payload stays in the abandoned cart dashboard and the admin frequents it. It’s also hard to tell how many successful XSS injections are sitting around waiting for an admin to open that page for the first time. We don’t have a lot of data about successful exploits because our WAF stopped any of our active users from getting compromised,” added Veenstra.
The attackers can then use the infect website for spamming purposes and any kind of cybercrime such as infecting visitors PC with other malware. The existence of “woouser” account in WordPress is a primary indication of a successful infiltration against the site. All web admins are advised to update their WooCommerce plugin newer than version 5.2.0.
“Because the plugin’s developers were made aware of this flaw due to reports of these same exploits, they include a check for the existence of the email address registered with the malicious “woouser” account. If a user with this email is identified, the plugin deletes that user,” Veenstra concluded.
To read the original article: