Hackers actively use the critical vulnerability in the WordPress plugin YITH WOOCOMMMERCE Gift CARDS PREMIUM, which is used on more than 50,000 websites. YITH WOOCOMMMERce Gift Cards Premium is a plugin that allows sites owners to sell gift cards in their online stores.
In November, experts found a vulnerability in the plugin, which was assigned the CVE-2022-45359 identifier and 9.8 out of 10 on the CVSS scale. It allows hackers to upload files to sites (including web shells that provide full control over the site). Brash affects all versions of the plugin to 3.19.0. It is worth noting that the correction was published in version 3.20.0, but the manufacturer has already released version 3.21.0 and recommends being updated to it.
As analysts from Wordfence say, many sites still use the old, vulnerable version of the plugin, which the attackers use: their exploit allows you to load backdors, remotely execute the code and capture the sites of the victims.
Experts conducted an exploit reverse engineering and found that the problem lies in the IMPORT_ACTIONS_FROM_SETTINGS_PANEL functions, which is associated with the ADMIN_INIT Hook. In vulnerable versions of the plugin, this function does not perform CSRF and Capability checks, which allows hackers to send
These two problems make it possible to send post-executioners to unauthentified attackers in /wp-admin/admin-post.php to download malicious php files to the site.
harmful requests are displayed in logs as UNEXPECTED posts from unknown IP addresses.
Wordfence found the following malicious files:
kon.php/1tes.php – this file downloads a copy of the Marijuana Shell file manager from a remote source (Shell [.] Prinsh [.] Com);
- in memory
b.php – a simple loader file;
admin.php – Backdor protected by password.
Analysts report that most attacks occurred in November before the administrators managed to correct vulnerability, but the second peak of hacks was observed on December 14, 2022.
The attacks are carried out from hundreds of IP addresses, two of them are most active – Vietnamese 103 [.] 138.108.15 (19 604 attacks against 10,936 different sites) and Estonian 188 [.] 66.0.135 (1220 attacks, 928 sites ).