A critical security flaw in the popular WooCommerce Payments WordPress plugin has become a lucrative opportunity for threat actors. The vulnerability, tracked as CVE-2023-28121, enables unauthenticated attackers to impersonate arbitrary users, including administrators, potentially leading to site takeover. In recent days, a massive targeted campaign exploiting this flaw has been observed, posing a significant threat to thousands of websites.
Overview of the vulnerability
CVE-2023-28121 is a severe case of authentication bypass within the WooCommerce Payments plugin. With a staggering CVSS score of 9.8, this vulnerability allows attackers to carry out actions on a website while impersonating an authorized user. This includes manipulating sensitive data and potentially taking full control over the target site, leading to severe consequences for website owners.
Scale of the attacks
Since its disclosure, large-scale attacks exploiting CVE-2023-28121 have surged rapidly. The assault began on Thursday, July 14, 2023, and continued surging through the weekend. On Saturday, July 16, the attacks reached their peak, with a jaw-dropping 1.3 million attempts observed against 157,000 vulnerable sites. This highlights the severity of the situation and the urgent need for action.
Affected versions and plugin usage
The WooCommerce Payments plugin versions 4.8.0 to 5.6.1 have been identified as susceptible to a critical security flaw. This vulnerability affects over 600,000 websites, making it a prime target for exploitation. With such a significant number of potentially compromised sites, immediate action is crucial to prevent further damage and data breaches.
Patching and updates
To address the vulnerability, WooCommerce released patches for this flaw back in March 2023. Additionally, WordPress has provided auto-updates for sites utilizing affected versions of the software. Website owners are strongly advised to ensure they have the latest updates and patches installed to protect their sites from exploitation.
Exploitation Techniques
To successfully exploit the vulnerability, attackers leverage the HTTP request header ‘X-Wcpay-Platform-Checkout-User: 1’. By adding this header, susceptible websites perceive additional payloads as originating from an administrative user. This manipulation allows the threat actors to execute unauthorized actions, granting them control over compromised sites.
Weaponization and Attack Consequences
Notably, the loophole is being weaponized by threat actors to deploy the WP Console plugin. Once installed, this malicious plugin allows administrators to execute harmful code and even establish a persistent backdoor within the compromised site. The consequences are dire, potentially leading to data breaches, service disruptions, and reputational damage for affected organizations.
Connection to Other Security Exploits
Recent reports from Rapid7 indicate a simultaneous surge in active exploitation of Adobe ColdFusion flaws starting from July 13, 2023. These exploits aim to deploy web shells on infected endpoints, further emphasizing the severity of the cybersecurity landscape. Moreover, it is believed that the attackers are exploiting a secondary vulnerability, possibly identified as CVE-2023-29298, in conjunction with the primary flaw to maximize damage.
Additional vulnerability details
In tandem with the critical flaw, another vulnerability, CVE-2023-38203, has been discovered. This flaw, with a high CVSS score of 9.8, relates to a deserialization issue, which was addressed in an out-of-band update released on July 14th. The presence of multiple vulnerabilities exacerbates the urgency for administrators to investigate and apply appropriate patches promptly.
The exploitation of the critical security flaw in the WooCommerce Payments WordPress plugin represents a severe threat to website owners and users alike. With a massive targeted campaign underway and countless sites at risk, immediate action is crucial. It is imperative that website owners promptly install the necessary patches and updates provided by WooCommerce and WordPress to mitigate the risks associated with this vulnerability. By remaining vigilant and proactive, organizations can curb the impact of this security lapse and safeguard their digital assets from threat actors’ prying eyes.