A severe vulnerability in the widely-used WooCommerce Payments plugin is under rampant attack by cybercriminals. They are exploiting this security loophole to gain access rights of all users, notably administrators, on WordPress sites that are susceptible to this exploitation.
About WooCommerce Payments Plugin
The WooCommerce Payments plugin is an exceptionally popular tool within the WordPress ecosystem. Its prime function is to facilitate websites in accepting debit and credit card payments within WooCommerce-based online stores. The plugin boasts a substantial user base. The current users stands at 600,000 installations, as per WordPress.
Critical Bug Identified and Patched
On March 23, 2023, the critical vulnerability, tagged as CVE-2023-28121, caught the attention of the developers. Subsequently, they launched version 5.6.2, aiming to rectify this critical 9.8-rated bug. The flaw influences WooCommerce Payment plugin versions 4.8.0 and above, and the remedy is available in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and subsequent ones.
The vulnerability opens a backdoor for any remote user to mask as an administrator, subsequently gaining complete control over the WordPress site. To mitigate this risk, Automattic, the company behind WordPress, enforced a security update on all WordPress installations using this plugin.
At that point, WooCommerce claims that the vulnerability had not been put for wrong use. However, they cautioned that active exploitation was a future possibility due to the severity of the bug.
The Flaw is Now Being Actively Exploited
Fast-forward to the present month, cybersecurity analysts at RCE Security dissected the bug, delivering a comprehensive technical blog concerning the vulnerability and its potential exploitation methods. Attackers can merely introduce an ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ request header and assign it to the user ID of the account they aim to mimic.
When WooCommerce Payments identifies this header, it treats the request as originating from the stated user ID, inheriting all of the user’s privileges. RCE Security, as part of their blog post, exposed a proof-of-concept exploit. This exploit leverages the flaw to introduce a new admin user on vulnerable WordPress sites. Consequently, threat actors can wholly overrun the site.
According to Wordfence, a WordPress security firm, a massive campaign has been launched exploiting this vulnerability, targeting over 157,000 sites as of Saturday. They warned that threat actors are using the exploit to create administrator accounts or install the WP Console plugin on targeted devices.
Impact of the WooCommerce Payments Plugin Exploitation
On servers where WP Console gets installation, the threat actors execute PHP code. This code is to set up a file uploader on the server, acting as a backdoor that could be helpful. Wordfence has also reported instances where threat actors created admin accounts with random passwords using the exploit.
The threat actors conduct a vulnerability scan by attempting to access the ‘/wp-content/plugins/woocommerce-payments/readme.txt’ file. If the file is located, they exploit the flaw. Cybersecurity researchers have identified seven IP addresses responsible for these attacks, with one IP address alone probing 213,212 sites.
Remedial Measures and Caution Against WooCommerce Payments Plugin Bug
Given the ease of exploiting the CVE-2023-28121 vulnerability, it is of importance for all WordPress sites using WooCommerce Payment plugin. It is to update their installations. For sites that haven’t been got update, site admins should scan for unusual PHP files and dubious administrator accounts. Then they should and promptly eliminate any they discover.
