Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.
According to a blog written by Mikey Veenstra of WordPress firewall company Defiant (formerly Wordfence), the attacks exploit a cross-site scripting (XSS) flaw in version 5.1.3, a plug-in designed to help site admins analyse and recover sales lost when shoppers abandon carts.
Affecting both paid and free versions of the software, the vulnerability is used to install two backdoors that compromise the site, the second a sneaky backup in case the site owners detect and disable the first.
The attack involves the hackers creating a cart containing bogus contact information, which is then abandoned. When the data in these fields is viewed by a site admin, a lack of output sanitisation means that the billing_first_name and billing_last_name fields become a single customer field containing an injected JavaScript payload.
This uses the admin’s browser session to deploy the backdoors, starting with a rogue admin account added using a hidden iframe which triggers new account creation, at which point a notification of success is sent via the attacker’s command and control.
The second backdoor is then added by opening another iframe to the plugins menu, which is scanned for any with an ‘activate’ link denoting that they are inactive. This is injected with a PHP backdoor script and lies dormant until the attackers decide to activate it.
How many sites have been targeted?
In an interview with ZDNet, Veenstra said Defiant had detected 5,251 accesses to a bit.ly link associated with the attacks.
This exaggerated the true number of active infections, while possibly underestimating the number of inactive ones (i.e. those in place but not yet triggered).
That makes the numbers game a bit of a guess, but it could be anything from the low hundreds to the low thousands from the estimated 20,000 plus installations that have downloaded the plugin.
Working out how many attacks have been successful is even harder because the Defiant only detects attacks as it repels them using its Wordfence firewall. More mysterious still is the attacker’s ultimate objective in executing the compromises.
What to do
The flaw was fixed on 18 February with the release of version 5.2.0, which “added sanitization checks for checkout field capture for guest users.” Anyone using the plugin should update to this version, or later, as soon as possible.
However, according to Defiant, this doesn’t address the secondary backdoor affecting inactive plugins. The company’s recommendation is to review all databases for possible injections.
After this check has been completed, review the user accounts present on your site. If any unauthorized administrator accounts are present, delete them immediately and begin your incident response process.
As with previous WordPress/plugin vulnerability incidents, the issue of updating is never far from the surface.
A recent report by Sucuri noted that the biggest risk to most CMSs are plugins, themes and extensions, which tend to be installed and then not updated often enough.