Cross-site (XSS) flaw hackers in abandoned cart plugin are able to seize vulnerable sites.
WordPress-based shopping sites are being attacked by a hacker group which uses a shopping cart plugin vulnerability to plant backdoors and seize vulnerable sides.
According to Defiant, the company behind Wordfence, a firewall plug-in for WordPress websites is currently under attack. According to the official WordPress plugins, hackers are targeting WordPress sites using “Abandoned Cart Lite for WooCommerce,” a plugin on more than 20,000 WordPresse sites.
How it is vulnerable?
These attacks are one of the rare cases where a mundane and often unsafe cross-site (XSS) vulnerability can lead to serious hacks. XSS defects are seldom armed in such dangerous ways.
These hacks occur due to the mode of operation of the plugin and vulnerability, combined to create the perfect storm.
As its name implies, the plugin allows site managers to view abandoned shopping carts-which products users have added in their carts prior to suddenly leaving the site.
Site owners use this plugin to provide a list of potentially popular products for a store in the future. These lists of abandoned carts are available only on the backend of the WordPress site and usually only for administrators with high-privileged accounts or other users.
How hackers/attackers are using this flaw?
The Defiant Security Researcher Mikey Veenstra reports that hackers automate WordPress WooCommerce-based stores to create carts containing products with malformed names.
They add exploit code to one of the fields of a shopping cart and leave the website, which ensures that the exploit code is stored in the shop database.
If an administrator accesses the backend of the shop to view a list of carts abandoned, the hacker exploited code is executed once a specific page on the user’s screen is loaded.
Veenstra said Wordfence has detected several exploitation attempts over the last few weeks to stop using this technique.
The first backdoor is a new admin account created by hackers on the site. This new admin user has the name of “woouser,” is registered with the email address “[email protected]” and uses a “K1YPRka7b0av1B” password. The second backdoor is very smart and is a rarely seen technique.
Veenstra told that malicious code lists all plugins on the site and searches for the first one which the site manager has disabled.
Hackers don’t reactivate it, but instead replace its main file with a malicious script that will work for future access as a backdoor. However, as its files are still on the disk and accessible through web applications, hackers can send malicious instructions on this second backdoor if site owners remove “woouser” account. The plugin is not activated.
More than 5,000 times have been accessed the bit.ly link used for this campaign, which suggests that thousands of infected sites are most likely. However, the number of 5,200 + is not completely accurate. Veenstra says.
“Bit.ly’s statistics can be misleading, because an infected website can connect several times if the XSS payload is in the deserted card dashboard and the admin is frequent,” said Veenstra.
“It’s also hard to say how many successful XSS injections wait for an admin to open this page,” added the researcher, suggesting that many sites have attacked, but a backdoor still has to be used, and therefore the link bit.ly hasn’t yet been loaded.
Right now, Veenstra and the rest of the defiant team cannot tell for sure what hackers are trying to achieve by hacking all of these WordPress carts. “We do not have much data on successful achievements because our WAF has prevented some of our active users from getting compromised,” Veenstra said.
Hackers could use these websites to plant card skimmers from SEO spam. The “Abandoned Cart Lite for WooCommerce” plugin got a fix to the vector hackers of the XSS attack, released on February 18, during these recent attacks in version 5.2.0.
WordPress site owners who use the plugin are advised to update its websites and check the list of suspicious entries in their admin control panel. The “woouser” may not be there, but hackers might have turned it into something else.