WARNING! XSS Vulnerability Found in Abandoned Cart Plugin
Convert Text to Speech
XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers
https://sjvirtualmedia.com/warning-xss-vulnerability-found-in-abandoned-cart-plugin/
Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce.
The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales.
A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.
At this time, any WordPress sites making use of woocommerce-abandoned-cart, or its premium version, woocommerce-abandoned-cart-pro, are advised to update to the latest available version as soon as possible.
Sites making use of the Wordfence WAF, both free and premium, are protected from the attacks detailed in this post due to the firewall’s built-in XSS protection.
Affected users without Wordfence installed should consider a Site Security Audit to confirm the integrity of their WordPress sites.
2019-03-12 01:02:10
source
Gloss