Massive Exploit Against WooCommerce Payments Underway Bug on 600,000 Websites

by Esmeralda McKenzie
Massive Exploit Against WooCommerce Payments Underway Bug on 600,000 Websites

Massive Exploit Against WooCommerce Payments Underway Bug on 600,000 Websites

WooCommerce Payments Underway

Hackers actively target weak WordPress websites to be ready to take profit of a frequent WooCommerce Payments plugin vulnerability and build admin rights.

The WooCommerce Payments plugin, with more than 600,000 energetic installations, facilitates credit and debit card payments in WooCommerce retail outlets.

The Wordfence Menace Intelligence workforce’s cybersecurity analysts no longer too long within the past stumbled on the vulnerability within the WooCommerce Payments plugin, and they’ve tracked it as CVE-2023-28121.

Flaw Exploitation

Big assaults exploited the vulnerability from July 14–16, 2023, with 1.3 million assaults on 157,000 sites at their top.

Automattic enforced safety fixes for WordPress sites, combating remote customers from impersonating admins and gaining paunchy defend an eye fixed on. Whereas no energetic exploits contain been reported, researchers cautioned against future exploitation due to the the indispensable nature of the trojan horse.

Wordfence researchers stumbled on attackers exploiting a flaw in WooCommerce Payments by adding a ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ header, granting paunchy defend an eye fixed on over weak WordPress sites, as demonstrated via a proof-of-thought exploit by RCE Security.

To terminate code remotely on the weak web website, the threat actor installs the WP Console plugin by exploiting administrative privileges.

77tzXh250caD5To IWADWVcJZhI8CuecAWIe9aTUZBZM 7zaTdU2E84bB8V 203HVeTuvIArP6HDFQ8La0RTFp9xS3ayY9kEpjVgRAgGK2DXzQ08DT AoPUia86r9QyrFFtsi BD52iJaK5qy AsyyU
A group aside a query to attempting to set up the wp-console plugin (Source: Wordfence)

WP Console, once set aside in, empowers threat actors to terminate PHP code and deploy a power file uploader as a backdoor, affirming gain admission to even after patching the vulnerability.

ywEVdyUs7ZQNCTPVPfHyeBJPo7 cHhe06HyMoGKqFBapX6c XbAZbBFylJ46IDsM 4VeJkr8LfxSlRF2mZPuyq0jjKiBvogblEcMNm3bGxor9pPQMDxjgHLOHrLVTY0q1swHfAXDjh
A group aside a query to attempting to make exercise of the wp-console plugin to terminate malicious code (Source: Wordfence)

This attack looks to be eager on a smaller community of websites, and the early warning indicators included a surge in plugin enumeration requests seeking the ‘readme.txt’ file across millions of sites.

t7ru6WfbA9zN
Total requests by date procuring for readme.txt recordsdata (Source: Wordfence)

Wordfence observes attackers creating admin accounts with random passwords utilizing the exploit, and the threat actors scan for weak sites by accessing the following directory:  –

‘/wp-grunt material/plugins/woocommerce-payments/readme.txt.’

IPs Detected

Rather than this, seven IP addresses, alongside side 194.169.175.93, scanning 213,212 sites, contain been identified by safety researchers within the assaults.

  • 194.169.175.93: 213,212 sites attacked
  • 2a10:cc45:100::5474:5a49:bfd6:2007: 90,157 sites attacked
  • 103.102.153.17: 27,346 sites attacked
  • 79.137.202.106: 14,799 sites attacked
  • 193.169.194.63: 14,619 sites attacked
  • 79.137.207.224: 14,509 sites attacked
  • 193.169.195.64: 13,491 sites attacked

There are thousands of IP addresses distributed within the readme.txt requests. Nonetheless, finest round 5,000 of them conducted true assaults, making them less considerable to defenders.

To mitigate the probability posed by CVE-2023-28121, it is highly suggested that every WooCommerce Price plugin customers ought to update their installations staunch now. Additionally, the online website admins ought to scan for irregular PHP recordsdata and suspicious admin accounts.

Additionally Learn:

Hackers Exhaust WebAPK to Set up Malware as Native Utility on Android Utility

Source credit : cybersecuritynews.com

Related Posts