Unpatched versions of the Abandoned Cart for WooCommerce plugin for WordPress have been exploited in attacks, researchers say. Apparently, there’s a dangerous XSS (cross-site scripting) vulnerability in the plugin which affects both paid and free versions of the plugin.
Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce, said Wordfence researchers.
Abandoned Cart for WooCommerce WordPress Plugin Exploited in Attacks
The Abandoned Cart for WooCommerce plugin plugin is designed to help owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. However, researchers discovered “a lack of sanitation on both input and output” which allows attackers to inject malicious JavaScript payloads into various data fields. These payloads are set to execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.
How is the attack carried out? Cybercriminals create a cart with fake contact information, which is abandoned. According to the report, the names and emails are random, but the requests follow the same pattern: the generated first and last name are supplied together as billing_first_name, but the billing_last_name field contains the injected payload .
Тhe bit.ly shortener used in these attacks resolves to hXXps://cdn-bigcommerce[.]com/visionstat.js.
The domain, which attempts to look innocuous by impersonating the legitimate cdn.bigcommerce.com, points to the command and control (C2) server behind the infection. The target script, visionstat.js, is a malicious JavaScript payload which uses the victim’s own browser session to deploy backdoors on their site.
It should be noted that two backdoors are deployed in the attacks: a rogue administrator account is created, and a deactivated plugin is infected with a code execution script. Both of these actions are executed by creating a hidden iframe in the admin’s existing browser window, then simulating the process of filling out and submitting the necessary forms within it, researchers said.
The researchers had detected 5,251 accesses to the bit.ly link associated with the attacks.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: