Posted on July 15, 2023 at 5:49 AM
WordPress Sites at Risk as Threat Actors Exploit Critical Flaw in WooCommerce Payments Plugin
According to security experts, over 600,000 websites are in danger of hacking attacks due to them having a single plugin. The plugin in question is the WooCommerce Payments plugin, which is commonly included in any WordPress website that allows users to connect their credit and debit cards and make payments. Whether for shopping, subscriptions, or some other purpose, the WooCommerce Payments plugin is a universal solution for these platforms.
Now, they are all in danger due to an exploitation of the plugin, which allows hackers to gain the privileges of any users, including administrators. As mentioned, the plugin is used on roughly 600,000 websites.
Which versions of the plugin are affected?
Some time ago, the developers discovered that the plugin was flawed, which is why they quickly created a patch. The patch was released on March 23rd of this year, known as version 5.6.2. Its purpose was to fix a critical 9.8-rated vulnerability now known as CVE-2023-28121. The flaw affects the WooCommerce Payments plugin, versions 4.8.0 and higher. However, it has since been fixed for versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and later.
The experts have revealed that the vulnerability allows any remote user to take on an administrator role and take over WordPress websites. When the flaw was revealed, WooCommerce said there were no known active exploitations of the vulnerability. However, researchers believe it is only a matter of time before the flaw gets exploited.
After becoming aware of the issue, RCE Security analyzed the bug and released a technical blog, explaining how the vulnerability can be exploited. RCE researchers said that the attackers could simply add an ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ request header, which would allow them to set the user ID of any account they want to impersonate.
As soon as the system spots the header, it will start treating the request as if it came from a specified user ID, granting it all accompanying privileges. Researchers also released a proof-of-concept exploit, which uses the flaw to create a new admin user.
Hackers immediately got to work after the threat became known to the public. According to Wordfence, threat actors are already exploiting the flaw in a massive campaign. Their estimate is that the hackers had targeted over 157,000 websites by last Saturday. The security firm said the campaign launched last Thursday, July 14th, and continued strongly over the weekend. It peaked at 1.3 million attacks targeting 157,000 sites by July 16th.
The attackers have used the predicted methods
As predicted, bad actors have used the exploit to create administrator accounts or install the WP Console plugin on targeted devices. In cases where WP Console was installed, hackers used the plugin to execute PHP code which installs a file uploader on the targeted server. This can then be used as a backdoor, even if the vulnerability is fixed, allowing the attackers to keep exploiting the website.
Other attackers have used the exploit in a more straightforward way, creating administrator accounts protected by their own passwords. So far, security researchers have identified and shared seven IP addresses responsible for the attacks. One of the addresses — 194.169.175.93 — was used for scanning as many as 213,212 different WordPress websites.
Experts suggest that all website owners who use the WooCommerce Payments plugin immediately update their plugins or at least make sure that they are up to date. Failure to do so would allow hackers to take over the website, ensure the existence of multiple backdoors, and harm the site and its users.
The flaw in vulnerable, non-updated plugins is extremely easy to exploit, which is why security researchers also recommend that site admins scan their websites for PHP files. Any file that may appear unusual or suspicious should be deleted immediately,