WordPress Plugin WooCommerce is Vulnerable to XSS Attacks
As WordPress gained popularity over its CMS competitors like Joomla and Drupal, it grew to a level where plugin developers jumped into the bandwagon effect. Plugins are a double-edged sword; it extends WordPress’ capabilities beyond the default functions. But it comes with risks which if not checked can cause trouble for the website. Woocommerce Abandoned Cart Lite, which was downloaded 20,000 times by WordPress admins worldwide has been detected of harboring a nasty cross-site scripting vulnerability (XSS).
Woocommerce Abandoned Cart Lite is a WordPress plugin provides webadmin the automated capability of finding-out the details of all abandoned shopping carts for their website. The plugins usefulness is to provide admins the reports of what products are frequently sold by the site they managed.
“A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard. At this time, any WordPress sites making use of woocommerce-abandoned-cart, or its premium version, woocommerce-abandoned-cart-pro, are advised to update to the latest available version as soon as possible. Sites making use of the Wordfence WAF, both free and premium, are protected from the attacks detailed in this post due to the firewall’s built-in XSS protection,” explained Mikey Veenstra, WordFence representative, WordFence is a specialized web firewall for WordPress.
When a vulnerable version of the plugin is installed, the attacker can insert the malicious code through the shopping cart’s field itself. A script containing the instructions will then download backdoor programs using a specially crafted bit.ly link created by the attackers. A new admin account is created in the system by the first backdoor, its default username and password are hard encoded in the script. The second backdoor script will then scan the WordPress system looking for any disabled plugin, it will then overwrite the disabled plugin with its own code, hence duplicating itself in the system to serve as a second way to re-infect the system once the backdoors were discovered.
“The Bit.ly stats can be misleading because one infected site can source that link several times if the XSS payload stays in the abandoned cart dashboard and the admin frequents it. It’s also hard to tell how many successful XSS injections are sitting around waiting for an admin to open that page for the first time. We don’t have a lot of data about successful exploits because our WAF stopped any of our active users from getting compromised,” added Veenstra.
The attackers can then use the infect website for spamming purposes and any kind of cybercrime such as infecting visitors PC with other malware. The existence of “woouser” account in WordPress is a primary indication of a successful infiltration against the site. All web admins are advised to update their WooCommerce plugin newer than version 5.2.0.
“Because the plugin’s developers were made aware of this flaw due to reports of these same exploits, they include a check for the existence of the email address registered with the malicious “woouser” account. If a user with this email is identified, the plugin deletes that user,” Veenstra concluded.
Related Resources:
New Google Chrome Zero-Day Vulnerability Detected