WooCommerce vulnerability used in WordPress targeted attacks
Take action: Time to do a quick patch of your WooCommerce plugins. And check for new installed file uploader plugins, WP Console plugin or unknown users in your platform. If you find them, disable them immediately and investigate in detail.
Learn More
A critical security flaw in the WordPress WooCommerce Payments plugin is exploited by hackers to gain unauthorized access to user privileges. The WooCommerce Payments is estimated to have been installed on approximately 600,000 websites.
Through the vulnerability, designated as CVE-2023-28121 (CVSS score 9.8) remote attackers were able to impersonate administrators and gain control over WordPress sites.
- The affected versions of the plugin were identified as 4.8.0 and higher.
- WooCommerce Payments plugin released a patch on March 23, labeled as version 5.6.2.
Researchers released a detailed technical blog explaining how CVE-2023-28121 operated:
By adding the "X-WCPAY-PLATFORM-CHECKOUT-USER" request header, hackers could set it to a specific user ID and trick the plugin into recognizing the request as originating from the genuine user. This granted the attackers full access to all of the user's privileges.
To illustrate the potential consequences of the exploit, the researchers released a proof-of-concept demonstration, showcasing how hackers could exploit the flaw to create a new admin user on compromised WordPress sites. This easy takeover gave the attackers immediate control over the websites.
Security researchers also noted a significant increase in hacking attempts against a popular WordPress plugin. During the attacks, threat actors attempted to exploit their admin privileges to install the WP Console plugin remotely, which they then used to execute malicious code and establish persistence by placing a file uploader on victim sites.
Wordfence security service for WordPress noted that while the number of attack attempts exceeded one million, this campaign appeared to be relatively targeted. Unlike typical large-scale attacks that indiscriminately target millions of sites, this one seemed to focus on a smaller subset of websites.
Interestingly, signs of the impending attacks were observed several days before the main wave, with an increase in plugin enumeration requests searching for a "readme.txt" file in the "wp-content/plugins/woocommerce-payments/" directory of millions of sites.
While most auto-update websites managed through Automattic already have the plugin force-patched, self hosted sites are obviously lagging behind.
