Cybersecurity researchers from Wordfence are warning WordPress users that a popular plugin has a security flaw that is being abused in the wild in ongoing campaigns.
Threat actors can use the flaw, tracked as CVE-2023-28121, and carrying a severity score of 9.8, for a number of things, including full website takeover.
It’s found in the WooCommerce Payments plugin, which is installed on more than 600,00 websites. The vulnerability is described as “authentication bypass”, and allows threat actors to bypass authentication and act as different users, including administrators.
Patched months ago
The bulk of the attack, which seems to be automated, happened during the last weekend: “Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” Wordfence said in its announcement.
Websites hosting WooCommerce Payments versions 4.8.0 to 5.6.1 were said to be vulnerable, with the patch being available for months now.
On the compromised websites, the attackers managed to deploy the WP Console plugin and use it to run malicious code, including file uploaders and backdoors.
The vulnerability was first discovered by cybersecurity researchers from GoldNetwork, in late March 2023. At the time, there was no evidence of the flaw being used in the wild, and WordPress pushed a mandatory update to all websites with the plugin installed, in hopes to minimize the potential damages. However, it would seem that there are plenty of websites out there that have automatic updates turned off.
Here are all the vulnerable WooCommerce Payments versions: .8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
If your website is still running any of the above mentioned versions, chances are it still hasn’t been updated. To do so manually, head to your WP Admin dashboard, navigate to Plugins, find WooCommerce Payments, and look for a notification about the vulnerability, as well as the instructions on how to update.
Via: The Hacker News