WordFence: Woocommerce Abandoned Cart WordPress plugin is vulnerable to XSS cyber attacks

Woocommerce Abandoned Cart is vulnerable to XSS cyber attacks. It has been discovered by WordFence cyber security experts. The WordPress plugin provides web-admin the automated capability of finding-out the details of all abandoned shopping carts for the website. Furthermore is useful to provide admins the reports of what products are frequently sold by the site they managed. “A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard,” explained Mikey Veenstra of WordFence. “At this time, any WordPress sites making use of woocommerce-abandoned-cart, or its premium version, are advised to update to the latest available version as soon as possible.”

The cyber security experts: a cybercrime hacker could insert malicious JavaScripts payloads, creating new admin accounts on the infected sites

According to Hacker Combat, when a vulnerable version of the Woocommerce Abandoned Cart plugin is installed, a cybercrime hacker could insert the malicious code through the shopping cart’s field itself. A script containing the instructions will then download backdoor programs using a specially crafted bit.ly link created by the cyber criminals. A new admin account is created in the system by the first backdoor, its default username and password are hard encoded in the script. The second backdoor script will then scan the WordPress system looking for any disabled plugin, it will then overwrite the disabled plugin with its own code, hence duplicating itself in the system to serve as a second way to re-infect the system once the backdoors were discovered.