Hackers Exploiting Critical WordPress Woocommerce Payments Bug

Cyber Security Threat Summary:
A critical vulnerability in the widely used WooCommerce Payments plugin is being exploited by hackers, enabling them to gain unauthorized privileges of any user, including administrators, on vulnerable WordPress installations. WooCommerce Payments is a highly popular WordPress plugin that facilitates credit and debit card payments in WooCommerce stores, with over 600,000 active installations as, reported by WordPress.

The vulnerability, tracked as CVE-2023-28121 and rated at 9.8, was addressed by the developers on March 23, 2023, with the release of version 5.6.2. This flaw specifically effects WooCommerce Payment plugin versions 4.8.0 and above, and it was rectified in subsequent versions such as 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and later. The vulnerability allowed remote users to assume the identity of an administrator and gain full control over a WordPress site, prompting Automattic to enforce the installation of the security fix for WordPress installations that utilize the plugin.

“This month, researchers at RCE Security analyzed the bug and released a technical blog on the CVE-2023-28121 vulnerability and how it can be exploited. The researchers explain that attackers can simply add an 'X-WCPAY-PLATFORM-CHECKOUT-USER' request header and set it to the user ID of the account they wish to impersonate. When WooCommerce Payments sees this header, it will treat the request as if it was from the specified user ID, including all of the user's privileges. As part of the blog post, RCE Security released a proof-of-concept exploit that uses this flaw to create a new admin user on vulnerable WordPress sites, making it easy for threat actors to take complete control over the site. Today, WordPress security firm Wordfence warned that threat actors are exploiting this vulnerability in a massive campaign targeting over 157,000 sites by Saturday. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," explains Wordfence. Wordfence says the threat actors use the exploit to install the WP Console plugin or create administrator accounts on the targeted device” (BleepingComputer, 2023).

Security Officer Comments:
Threat actors took advantage of the WP console plugin on targeted systems to execute PHP code, which installs a file uploader on the server, enabling them to maintaqin a backdoor even after the vulnerability has been patched. Additionally, Wordfence reports that other attackers have exploited the vulnerability to create administrator accounts with randomly generated passwords. To identify vulnerable WordPress sites, the threat actors attempt to access the '/wp-content/plugins/woocommerce-payments/readme.txt' file, and if it exists, they exploit the flaw.

Suggested Correction(s):
Given the ease of the exploitation in CVE 2023 28121, it is strongly recommended that all websites using the WooCommerce payment plugin ensure that their installations are fully up to date. For those who haven’t recently updated their installations, it is also advised that site administrators scan their sites for any unusual PHP files and suspicious administrator accounts, promptly deleting any that are discoverd.

Link(s):
https://www.bleepingcomputer.com/