Hackers actively target vulnerable WordPress websites in an effort to take advantage of a widespread WooCommerce Payments plugin vulnerability and gain admin rights.
The WooCommerce Payments plugin, with more than 600,000 active installations, facilitates credit and debit card payments in WooCommerce stores.
The Wordfence Threat Intelligence team’s cybersecurity analysts recently discovered the vulnerability in the WooCommerce Payments plugin, and they have tracked it as CVE-2023-28121.
Flaw Exploitation
Massive attacks exploited the vulnerability from July 14–16, 2023, with 1.3 million attacks on 157,000 sites at their peak.
Automattic enforced security fixes for WordPress sites, preventing remote users from impersonating admins and gaining full control. While no active exploits were reported, researchers cautioned against future exploitation due to the critical nature of the bug.
Wordfence researchers discovered attackers exploiting a flaw in WooCommerce Payments by adding a ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ header, granting full control over vulnerable WordPress sites, as demonstrated through a proof-of-concept exploit by RCE Security.
To execute code remotely on the vulnerable site, the threat actor installs the WP Console plugin by exploiting administrative privileges.
WP Console, once installed, empowers threat actors to execute PHP code and deploy a persistent file uploader as a backdoor, maintaining access even after patching the vulnerability.
This attack seems to be focused on a smaller group of websites, and the early warning signs included a surge in plugin enumeration requests seeking the ‘readme.txt’ file across millions of sites.
Wordfence observes attackers creating admin accounts with random passwords using the exploit, and the threat actors scan for vulnerable sites by accessing the following directory: –
There are thousands of IP addresses distributed in the readme.txt requests. However, only around 5,000 of them conducted actual attacks, making them less valuable to defenders.
To mitigate the risk posed by CVE-2023-28121, it is highly recommended that all WooCommerce Payment plugin users should update their installations immediately. Additionally, the site admins should scan for odd PHP files and suspicious admin accounts.