Hackers are actively exploiting a critical vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin, which is used by over 50,000 websites. YITH WooCommerce Gift Cards Premium is a plugin that allows website owners to sell gift cards in their online stores.
In November, experts discovered a vulnerability in the plugin, which was assigned the identifier CVE-2022-45359 and a score of 9.8 out of 10 on the CVSS scale. It allows hackers to upload files to sites (including web shells that provide full control over the site). The flaw affects all versions of the plugin prior to 3.19.0. It is worth noting that the fix was released back in version 3.20.0, but the manufacturer has already released version 3.21.0 and recommends updating to it.
According to analysts from Wordfence, many sites still use the old, vulnerable version of the plugin, which is used by attackers: their exploit allows hackers to download backdoors, remotely execute code and take over victims' sites.
The specialists reverse-engineered the exploit and found out that the problem lies in the import_actions_from_settings_panel function, which is associated with the admin_init hook. In vulnerable versions of the plugin, this function does not perform CSRF and capability checks.
These two issues allow unauthenticated attackers to send POST requests to /wp-admin/admin-post.php to upload malicious PHP files to the site.
Malicious requests appear in the logs as unexpected POST requests from unknown IP addresses.
Wordfence has detected the following malicious files:
- kon.php/1tes.php - this file loads a copy of the marijuana shell file manager from a remote source (shell[.]prinsh[.]com) into memory;
- b.php is a simple loader file;
- admin.php is a password protected backdoor.
Analysts report that most of the attacks occurred in November, before administrators had time to fix the vulnerability, but the second peak of hacks was observed on December 14, 2022.
Attacks are carried out from hundreds of IP addresses, the most active of which are two of them - Vietnamese 103[.]138.108.15 (19,604 attacks against 10,936 different sites) and Estonian 188[.]66.0.135 (1220 attacks, 928 sites).