Hackers exploit bug in WordPress gift card plugin with 50K installs
Hackers are actively targeting a critical flaw in YITH WooCommerce Gift Cards Premium, a WordPress plugin used on over 50,000 websites.
YITH WooCommerce Gift Cards Premium is a plugin that website operators to sell gift cards in their online stores.
Exploiting the vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), allows unauthenticated attackers to upload files to vulnerable sites, including web shells that provide full access to the site.
CVE-2022-45359 was disclosed to the public on November 22, 2022, impacting all plugin versions up to 3.19.0. The security update that addressed the problem was version 3.20.0, while the vendor has already released 3.21.0 by now, which is the recommended upgrade target.
Unfortunately, many sites still use the older, vulnerable version, and hackers have already devised a working exploit to attack them.
According to WordPress security experts at Wordfence, the exploitation effort is well underway, with hackers leveraging the vulnerability to upload backdoors on the sites, obtain remote code execution, and perform takeover attacks.
Actively exploited in attacks
Wordfence reverse-engineered exploit hackers are using in attacks, finding that the issue lies in the plugin’s “import_actions_from_settings_panel” function that runs on the “admin_init” hook.
Moreover, this function does not perform CSRF or capability checks in vulnerable versions.
These two issues make it possible for unauthenticated attackers to send POST requests to “/wp-admin/admin-post.php” using the appropriate parameters to upload a malicious PHP executable on the site.
The malicious requests appear on logs as unexpected POST requests from unknown IP addresses, which should be a sign for site admins they are under attack.
The uploaded files spotted by Wordfence are the following:
- kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)
- b.php – simple uploader file
- admin.php – password-protected backdoor
The analysts report that most attacks occurred in November before admins could patch the flaw, but a second peak was observed on December 14, 2022.
IP address 184.108.40.206 was a significant source of attacks, launching 19,604 exploitation attempts against 10,936 websites. The next largest IP address is 220.127.116.11, which conducted 1,220 attacks against 928 WordPress sites.
The exploitation attempts are still ongoing, so users of the YITH WooCommerce Gift Cards Premium plugin are recommended to upgrade to version 3.21 as soon as possible.