Massive Cyberattack Targets Critical WordPress Plugin Vulnerability

Critical vulnerabilities in a popular WordPress plugin, WooCommerce Payments, have been exploited in a significant cyberattack, according to WordPress security company Wordfence. The vulnerability, tagged as CVE-2023-28121, was targeted in a massive cyberattack campaign on Thursday, July 14, 2023, and continued over the following weekend.

The vulnerability has a critical severity CVSS score of 9.8 out of 10 and can empower unverified attackers to hijack websites by impersonating privileged users, like a website administrator.

The onslaught peaked on Saturday, July 16, 2023, with approximately 1.3 million attacks on 157,000 sites. The attacks were mainly directed at WooCommerce Payments plugin versions starting from 4.8.0 and upwards.

The malicious attackers exploited this vulnerability by adding an X-WCPAY-PLATFORM-CHECKOUT-USER request header and setting it to the user account ID they wanted to impersonate. WooCommerce would then process the request as if it originated from the actual account, providing the threat actors with the associated privileges.

They could then create new administrator accounts or install another plugin, WP Console, which, with administrator privileges, could run malicious code, deploy file uploaders, and establish backdoors on compromised websites.

Alarmingly, using a file uploader as a backdoor could persist on compromised websites even after the vulnerability is fixed. Attackers primarily identified susceptible sites by trying to access the /wp-content/plugins/woocommerce-payments/readme.txt file. If this file existed, the assault would begin.

WooCommerce responded to this threat by releasing version 5.6.2 of the plugin on March 23, which addressed the vulnerability. However, despite their assurances that there was no known exploitation at the time, security researchers warned that the critical nature of the flaw might lead to exploitation cases surfacing in the future. Unfortunately, this prediction proved to be correct.

"Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," according to Wordfence's security advisory.

In light of these attacks, website administrators are strongly encouraged to update their websites and plugins. In cases where plugin updates have not been installed for a significant amount of time, it is recommended to check for and remove any suspicious accounts and PHP files.