Critical Flaw in WordPress WooCommerce Payments Plugin Exploited in Targeted Attacks
Researchers have discovered that attackers have been exploiting a critical flaw in the WordPress WooCommerce Payments plug-in in a series of targeted attacks. The flaw, tracked as CVE-2023-28121 and rated 9.8 out of 10 on the CVSS vulnerability rating scale, was first discovered by researcher Michael Mazzolini in March. Exploit code soon followed, and the attacks have been escalating, with 1.3 million attempts against 157,000 sites on July 15.
Flaw and Impact
The vulnerability affects the WooCommerce Payments plugin for WordPress, particularly versions 5.6.1 and lower. It allows an unauthenticated attacker to elevate privileges and send requests on behalf of the administrator, thus gaining admin access to a site with the affected plugin. This flaw poses a significant threat, as the WooCommerce Payments plugin is installed on more than 600,000 sites.
Despite WooCommerce patching the flaw through an auto-update, sites running affected versions on non-WordPress.com platforms needed to manually install the update. Many sites have failed to do so, leaving them vulnerable to the ongoing attacks.
Highly Targeted Attacks
Researchers from Wordfence have noted that these attacks are unusual in that they appear to be highly targeted rather than random. Unlike many large-scale campaigns that attack millions of sites indiscriminately, this attack seems to focus on a smaller set of websites.
Wordfence researchers identified warning signs of the attacks several days before the main wave by observing an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites. While the majority of actual attacks came from a handful of IP addresses, the readme.txt requests were distributed over thousands of IP addresses. However, only about 5,000 IP addresses sent both readme.txt requests and actual attacks.
All exploits targeting the WooCommerce Payments vulnerability had a common header: X-Wcpay-Platform-Checkout-User: 1. This header tricks vulnerable sites into treating additional payloads as coming from an admin. Attackers have been observed using this exploit to install the WP Console plugin, which can be used to execute code on a site.
Once the malicious plugin is installed, attackers can execute code and establish persistence on the compromised site. The payload observed by Wordfence researchers has an MD5 hash of “fb1fd5d5ac7128bf23378ef3e238baba”. Attackers have also been creating malicious administrators with randomized alphanumeric usernames, such as ‘ac9edbbe’.
Exploiting the CVE-2023-28121 Bug
Julien Ahrens, a self-appointed hacker behind RCE Security, shared an exploit attack that triggers the vulnerability in the determine_current_user_for_platform_checkout() function. By setting the X-WCPAY-PLATFORM-CHECKOUT-USER request header to a specific user ID, an attacker can trick WooCommerce into thinking that an unauthenticated user is authenticated. This allows the attacker to impersonate any active user, including administrators.
Once the attacker has successfully impersonated an admin, the entire WordPress instance can be compromised. The attacker can determine the success of the exploit by checking the HTTP response code. If the code is 201, it means that the exploit was successful, and the newly created user’s object can be used to authenticate against WordPress‘ administrative backend.
If the impersonated user is no longer active or disabled, the attacker may need to either query the /wp-json/wp/v2/users API method or brute force through user IDs to find an active user.
Editorial
The exploitation of the critical flaw in the WordPress WooCommerce Payments plugin highlights the ongoing risks faced by websites and online platforms. As the number of websites and plugins continues to grow, so do the potential vulnerabilities that can be exploited by hackers.
These targeted attacks against specific websites demonstrate the importance of promptly updating plugins and maintaining secure configurations. It also emphasizes the need for active monitoring and response to emerging threats in the cybersecurity landscape.
Furthermore, this incident raises questions about the wider implications of software vulnerabilities and the responsibility of developers and platform providers. While WordPress patched the flaw and issued an auto-update, many sites running affected versions on non-WordPress.com platforms failed to install the patch, leaving them vulnerable, ultimately leading to the targeted attacks seen in recent days.
Advice for Website Owners and Administrators
Website owners and administrators who are using the WooCommerce Payments plugin for WordPress should take immediate action to ensure the security of their sites.
1. Update the Plugin: Make sure that you have updated the WooCommerce Payments plugin to the latest version that includes the patch for the vulnerability. Regularly check for plugin updates and install them promptly to prevent potential security gaps.
2. Check for Unexpected Admin Users or Posts: Review your site for any unexpected admin users or posts. If you find any suspicious activities or unauthorized access, it may indicate a compromise. Update admin passwords and rotate any API keys used on your site, including the WooCommerce API key.
3. Implement Security Measures: Enhance your website’s overall security by implementing robust security measures. This includes using strong and unique passwords, enabling two-factor authentication, regularly backing up your website, and implementing a web application firewall (WAF) to detect and block malicious traffic.
4. Stay Informed: Stay up to date with the latest security news and vulnerabilities affecting the plugins and platforms you rely on. Subscribe to security alerts and follow reliable sources of cybersecurity information to stay informed about emerging threats and best practices.
By taking these proactive steps, website owners and administrators can protect their sites from potential cyberattacks and maintain the security and integrity of their online presence.
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Exploring the Global Impact of Cybercrime: Nigerian Man Receives 8-Year Prison Sentence for $8 Million BEC Scheme
- Exposing the Dark Side: The Unmasking of a Black Hat Hacker
- The Linux Ransomware Dilemma: Protecting Critical Infrastructure from a Growing Menace
- ShadowPad Malware Strikes Pakistani Entities in Sophisticated Cyberattack
- The Escalating Battle Against Digital Espionage: Commerce Department Expands Blacklist
- Mozilla Introduces Innovative Feature to Safeguard User Security by Blocking Risky Add-Ons on Specific Websites
- Enhancing Your WordPress Website’s Security: Exploring the Benefits of CleanTalk Anti-Spam
- Uncovering a Security Vulnerability: The WordPress Plugin Exposing Thousands of Websites
- Security Breach: Hacker Exploits Critical Vulnerability in WooCommerce Payments Plugin to Compromise WordPress Sites
