Hackers are extensively exploiting a significant vulnerability in the WooCommerce Payments plugin, a popular tool used on WordPress sites to accept credit and debit card payments. With over 600,000 active users, the plugin was patched in version 5.6.2 on March 23rd, 2023, to address this critical flaw, identified as CVE-2023-28121. The vulnerability affects versions 4.8.0 and above of the plugin, with fixes implemented in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and later.
This flaw allows any remote user to impersonate an administrator, gaining full control over a WordPress site. To address this, Automattic, the parent company of WordPress, forcibly installed a security fix on installations using the plugin. At the time, WooCommerce stated there was no known active exploitation of the vulnerability, but researchers warned that due to the bug's severity, future exploitation was likely.
This month, RCE Security conducted a detailed analysis of the CVE-2023-28121 vulnerability and its potential exploitation. According to the researchers, attackers can exploit the flaw by adding an 'X-WCPAY-PLATFORM-CHECKOUT-USER' request header and setting it to the user ID of the account they wish to impersonate. When WooCommerce Payments encounters this header, it processes the request as if it originated from the specified user ID, including all the user's privileges.
RCE Security published a proof-of-concept exploit demonstrating how this vulnerability can be used to create a new admin user on susceptible WordPress sites, thereby enabling threat actors to gain complete control over the site.
Wordfence, a WordPress security firm, warned that hackers are exploiting this vulnerability in a massive campaign that had targeted over 157,000 sites by July 16, 2023. 'Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,' explained Wordfence.
The threat actors are reportedly using the exploit to install the WP Console plugin or create administrator accounts on the targeted device. In some cases, the hackers utilized the WP Console plugin to execute PHP code, installing a file uploader on the server that could serve as a backdoor even after the vulnerability is patched. Wordfence also reported instances of attackers using the exploit to create administrator accounts with random passwords.
To identify vulnerable WordPress sites, the hackers attempt to access the '/wp-content/plugins/woocommerce-payments/readme.txt' file. If the file exists, they exploit the flaw. Seven IP addresses have been identified as responsible for these attacks, with the most active IP address scanning over 213,000 sites.
Due to the ease of exploiting CVE-2023-28121, all sites using the WooCommerce Payment plugin are urged to ensure their installations are up-to-date. Site administrators are also advised to scan their sites for unusual PHP files and suspicious administrator accounts, deleting any they find.