Massive Exploit Against WooCommerce Payments Underway Bug


Hackers actively target vulnerable WordPress websites in an effort to take advantage of a widespread WooCommerce Payments plugin vulnerability and gain admin rights.

The WooCommerce Payments plugin, with more than 600,000 active installations, facilitates credit and debit card payments in WooCommerce stores.

The Wordfence Threat Intelligence team’s cybersecurity analysts recently discovered the vulnerability in the WooCommerce Payments plugin, and they have tracked it as CVE-2023-28121.

Flaw Exploitation

Massive attacks exploited the vulnerability from July 14–16, 2023, with 1.3 million attacks on 157,000 sites at their peak.

Automattic enforced security fixes for WordPress sites, preventing remote users from impersonating admins and gaining full control. While no active exploits were reported, researchers cautioned against future exploitation due to the critical nature of the bug.

Wordfence researchers discovered attackers exploiting a flaw in WooCommerce Payments by adding a ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ header, granting full control over vulnerable WordPress sites, as demonstrated through a proof-of-concept exploit by RCE Security.

To execute code remotely on the vulnerable site, the threat actor installs the WP Console plugin by exploiting administrative privileges.

Massive Exploit Against WooCommerce Payments Underway Bug
A request attempting to install the wp-console plugin (Source: Wordfence)

WP Console, once installed, empowers threat actors to execute PHP code and deploy a persistent file uploader as a backdoor, maintaining access even after patching the vulnerability.

Massive Exploit Against WooCommerce Payments Underway Bug
A request attempting to use the wp-console plugin to execute malicious code (Source: Wordfence)

This attack seems to be focused on a smaller group of websites, and the early warning signs included a surge in plugin enumeration requests seeking the ‘readme.txt’ file across millions of sites.

Massive Exploit Against WooCommerce Payments Underway Bug
Total requests by date looking for readme.txt files (Source: Wordfence)

Wordfence observes attackers creating admin accounts with random passwords using the exploit, and the threat actors scan for vulnerable sites by accessing the following directory:  –

‘/wp-content/plugins/woocommerce-payments/readme.txt.’ 

IPs Detected

Apart from this, seven IP addresses, including 194.169.175.93, scanning 213,212 sites, have been identified by security researchers in the attacks.

  • 194.169.175.93: 213,212 sites attacked
  • 2a10:cc45:100::5474:5a49:bfd6:2007: 90,157 sites attacked
  • 103.102.153.17: 27,346 sites attacked
  • 79.137.202.106: 14,799 sites attacked
  • 193.169.194.63: 14,619 sites attacked
  • 79.137.207.224: 14,509 sites attacked
  • 193.169.195.64: 13,491 sites attacked

There are thousands of IP addresses distributed in the readme.txt requests. However, only around 5,000 of them conducted actual attacks, making them less valuable to defenders.

To mitigate the risk posed by CVE-2023-28121, it is highly recommended that all WooCommerce Payment plugin users should update their installations immediately. Additionally, the site admins should scan for odd PHP files and suspicious admin accounts.

Also Read:



Source link