We were recently informed of a pretty large attack on WordPress websites that use the Abandoned Cart Lite for WooCommerce plugin. With over 20,000+ installs, this vulnerability isn’t a minor issue. Let’s take a look at what hackers are doing and how you can prevent it from happening to your website.
Taking over a website and infecting isn’t too hard for hackers when version 5.1.3 or later is installed. The hackers pretend to be customers and add items to the cart, but when the time comes for checkout info, they enter fake information and injected code via a link to the billing “last name” field. They then will abandon the cart, causing the Abandoned Cart Lite plugin to log the information. The code that they injected with that link will then run once you or anyone with administrator privileges logs in and views the “abandoned carts” in the backend of the website.
What This Means for You
So what happens after someone views the abandoned carts? You probably won’t notice anything right away, but let’s look at what happens in the background.
The injected code opens up two “secret” doors into your website. The first door allows the hacker to create an administrator user named ‘woousers’. As this is an admin user, they will have full access to your website.
The second door is a bit more complex, and is ultimately a “backup” plan in case something doesn’t work with the first door. Basically, the injected code will look for any plugin that is installed on your website that is not active (disabled) and will then replace the files of that plugin with malicious code, giving them full control.
How to Prevent Attacks on Your WordPress Website
So, how do you prevent this from happening? First off, you need to run updates on your WordPress website. Since this plugin vulnerability has been discovered, Tyche Softwares, the creators of Abandoned Cart Lite for WooCommerce have issued an update to fix this issue.
While the update goes above and beyond and will automatically remove the ‘woousers’ if it finds it listed, there is still a possibility of infection depending on the number of ‘doors’ that were created.
Keep Your Website Prepared
Unfortunately, there isn’t any way of knowing how many websites have been infected, so the best way to prevent against this from happening is to run updates and keep an eye on your website over the next few weeks. If you have backups of your website, we recommend having it ready in case something goes wrong.
The main key to protecting your website from vulnerabilities, is to take backups and run updates.