Hackers are Exploiting a WordPress Gift Card Plugin Vulnerability, Experts Warn

Criminals are exploiting a critical vulnerability in a WordPress gift card plugin installed on more than 50,000 websites, security researchers warn.

The flaw, tracked as CVE-2022-45359, is an arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin with a 9.8 (critical) CVSS v3 rating.

Perpetrators can exploit the flaw to upload any type of file to vulnerable websites, including web shells and backdoors that give them further access and remote code execution privileges.

The vulnerability affects versions 3.19.0 and earlier of the WordPress plugin due to a lack of capability checks and file type validation in one of the plugin’s functions.

“The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin,” WordFence said in a security advisory. “This allows attackers to place a back door, obtain Remote Code Execution, and take over the site.”

According to security researchers, unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses might be solid indicators of compromise. Experts have also isolated a handful of payloads that could be used to determine if a website has been compromised, including:

• kon.php/1tes.php – loads a copy of the “marijuana shell” file manager remotely from shell[.]prinsh[.]com, has a normalized SHA256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c
• b.php – simple file uploader, has a normalized SHA256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19
• admin.php – a password-protected backdoor, has a normalized SHA256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d

The researchers also noted that while the attacks were initiated from over 100 IP addresses, most of them originated from just two:

• 103.138.108.15 – launched 19,604 attacks against 10,936 websites
• 188.66.0.135 – launched 1,220 attacks against 928 websites

Last but not least, users running vulnerable versions (up to and including 3.19.0) of the YITH WooCommerce Gift Card Premium plugin are advised to update to the latest version available.