Skip to content

Hackers exploit WooCommerce plugin used by over 50,000 sites

  • by
  • 2 min read

Hackers are now exploiting a WooCommerce gift card WordPress plugin that’s currently being used on over 50,000 websites. The plugin has a critical vulnerability tracked as CVE-2022-45359 with a severity score of 9.8 that allows attackers to upload files to vulnerable sites. 

The vulnerability was publicly disclosed earlier on November 22 and impacts all plugin versions until 3.19.0. The plugin itself, called YITH WooCommerce Gift Cards Premium is now safe, with version 3.20.0 fixing the issue. The current version at the time of writing is 3.21.0. 

Wordfence researchers have observed active exploits in the wild. These exploits send HTTP POST requests to the admin-posts.php file with some additional parameters that uploads a malicious PHP file to the site. 

The issue is the import_actions_from_settings_panel function that runs on the admin_init WordPress hook. This function does not perform any security, compatibility or CSRF checks on the uploaded content, allowing attackers to upload three malicious PHP payloads. 

Hacking Android: How your phone can be compromised by a rogue app

These files include kon.php (or kon1.php), which loads a copy of the marijuana shell file manager in WordPress memory remotely. There’s a simple uploader file called b.php and a password-protected backdoor in admin.php.

Wordfence’s report claims that a majority of the attacks seem to be coming from a single IP address. This address — 103.138.108.15 launched 19,604 attacks against 10,936 sites. The IP address 188.66.0.135 comes second with 1,220 attacks against 928 sites. 

Most of these attacks occuered in November before the vulnerability was disclosed. That said, researchers also observed a second spike in attacks on December 14. 

The only mitigation here is to update the plugin to the latest version (3.21.0). Since exploitation attempts are still active, it’s recommended that site admins check their logs for any unexpected POST requets from unknown IP addresses which are indicative of the site being under attack and update the plugin as soon as possible. 

In the News: Twitter database with info of over 400 million users is up for sale

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>