A vulnerability in a WordPress plugin is being abused to install malicious code and steal people's payment data, experts have warned.
A report from cybersecurity researchers Sucuri, who discovered the attack, claims that Dessky Snippets, a relatively unknown WordPress plugin, allows website administrators to add custom PHP code to their sites.
In these cases, according to the report, the attackers looked for active installations on websites with online stores. Once found, they would use the vulnerability to install credit card theft PHP malware on the server side, allowing them to steal financial data from victims.
New payment methods
“This malicious code was saved in the dnsp_settings option in the wp_options table of WordPress and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code,” Sucuri researchers said in their article.
That is, this new code adds additional forms to the checkout page, where customers are asked to add their names, addresses, credit card numbers, expiration dates, and CVV numbers. It is also worth mentioning that in these fake forms, autocomplete is disabled. Therefore, users who have autofill turned on should see this as a red flag.
“By manually disabling this feature in the fake payment form, it reduces the likelihood of the browser warning the user that sensitive information is being entered and ensures that fields remain blank until the user manually completes them, reducing suspicions and makes the fields appear as regular and necessary inputs for the transaction,” Sucuri explained.
As the most popular website builder out there, WordPress is a major target among cybercriminals. However, since the platform is generally considered secure, attackers turned their attention to plugins and themes, which are much less secure. As a general rule, WP users should only keep the plugins and themes they are actually using, and should make sure they are always up to date.
Through Hacker News