Unknown threat actors are exploiting lesser-known code snippet plugins for WordPress to inject malicious PHP code into victim sites to harvest credit card data.
The observed campaign by Sucuri on May 11, 2024, involves the misuse of a WordPress plugin called Dessky Snippets, with over 200 active installations, allowing users to add custom PHP code.
These attacks typically exploit vulnerabilities in WordPress plugins or weak credentials to gain administrator access and install additional plugins for post-exploitation purposes.
Sucuri identified the use of the Dessky Snippets plugin to insert a server-side PHP malware on compromised websites to capture financial data.
“The malicious code was stored in the dnsp_settings option in the WordPress wp_options table and aimed to manipulate the checkout process in WooCommerce by altering the billing form and injecting its own code,” stated security researcher Ben Martin here.
The injected code adds new fields to the billing form requesting credit card details, which are then sent to “hxxps://2of[.]cc/wp-content/” for exfiltration.
An interesting aspect of the attack is that the billing form disables the autocomplete attribute (autocomplete=”off”), reducing suspicion and making the fields appear normal.
Previous instances have shown threat actors misusing legitimate code snippet plugins for malicious activities, such as the abuse of the WPCode plugin to inject JavaScript code for redirects to VexTrio domains.
Another campaign named Sign1 infected thousands of WordPress sites using the Simple Custom CSS and JS plugin for malicious redirects to scam sites.
WordPress site owners, especially those with e-commerce features, are advised to update plugins regularly, use strong passwords, and monitor their sites for any signs of malware or unauthorized changes.
