Threat actors have recently been targeting WordPress websites by exploiting a critical vulnerability in the WooCommerce Payments plugin. Developed by Automattic, this widely-used payment solution has over 600,000 active installations, making it a prime target for attackers. This article provides an overview of the vulnerability, the ongoing attacks, and recommendations for site administrators to protect their websites.
Exploited Vulnerability
Tracked as CVE-2023-28121 with a CVSS score of 9.8, the exploited vulnerability allows unauthenticated attackers to compromise an administrator’s account and gain full control of a vulnerable website. The vulnerability was patched in plugin version 5.6.2 on March 23, but attacks against unpatched versions have been escalating recently.
Magnitude of Attacks
WordPress security firm Defiant reports that large-scale attacks exploiting the vulnerability began on Thursday, July 14, 2023, and peaked on Saturday, July 16, with 1.3 million attacks targeting 157,000 sites. While the campaign focuses on a specific set of websites, the observed attacks primarily originated from seven IP addresses.
Attack Methodology
The attackers initiated the campaign by increasing plugin enumeration requests to locate a specific file in the plugin’s directory. These requests were distributed over thousands of IP addresses, suggesting a coordinated effort. The exploits targeting CVE-2023-28121 contained a header that tricks vulnerable sites into treating additional payloads as coming from an administrative user. The attackers sought to leverage admin privileges to install the WP Console plugin and gain code execution for further malicious activities.
Recommendations for Site Administrators
To protect their websites, site administrators are strongly advised to update their WooCommerce Payments installations to the latest patched version. It is crucial to act promptly, as the exploits and technical details of CVE-2023-28121 have been publicly available for several weeks. Given that over 60% of sites run a plugin version above 5.9.x, the actual number of vulnerable websites remains uncertain.
Conclusion
The ongoing attacks targeting WooCommerce Payments plugin users highlight the increasing sophistication of threat actors. With the ability to execute reconnaissance activities and maintain persistence using administrator-level functionality, attackers pose a significant risk to website security. Site administrators must prioritize timely software updates and remain vigilant against emerging threats in order to safeguard their websites and user data.