Threat actors have started hacking WordPress websites by exploiting a critical vulnerability in the WooCommerce Payments plugin.
A fully integrated payment solution built automatically, the plugin has over 600,000 active installs, WordPress tracking data shows.
Tracked as CVE-2023-28121 (CVSS score 9.8) in plugin version 5.6.2 on March 23, the exploited vulnerability allows an unauthenticated attacker to impersonate an administrator account and take full control of a vulnerable website.
While there are no signs of the bug being exploited in the wild at the time of the patch release, Malicious attacks WordPress security firm Defiant has reported that targeting unpatched versions of the WooCommerce Payments plugin has been ongoing for the past week.
“Large-scale attacks against the vulnerability, designated CVE-2023-28121, began on Thursday, July 14, 2023 and continued through the weekend, reaching 1.3 million attacks on 157,000 sites on Saturday, July 16, 2023,” Defiant says.
The campaign, which focuses on a small set of websites, began with adding plugin enumeration queries while looking for a specific file in the plugin directory.
While the requests were spread across thousands of IP addresses, most of the observed attacks came from a set of seven IP addresses, Defiant notes.
All observed exploits targeting CVE-2023-28121 are titled “Causing affected sites to treat any additional payments as coming from an admin user.” Many of these requests have attempted to use administrator privileges to install the WP Console plugin, Defiant says, to gain code performance.
“Once the WP Console plugin is installed, attackers can place a file exploit to execute malicious code and establish persistence,” says Defiant.
All sites running WooCommerce Payments 4.8.0 through 5.6.1 are vulnerable to CVE-2023-28121. According to WordPress, more than 60% of sites run a plugin version older than 5.9.x, so it’s unclear how many sites are at risk.
Site administrators are advised to update their WooCommerce Payments installations to a patched version as soon as possible, especially for exploits targeting CVE-2023-28121 and Technical details They are public for several weeks on exposure.
“These attacks demonstrate greater sophistication than similar attacks we’ve seen in the past, including anticipating the main wave of attacks and persistence techniques using functions available to administrator-level users,” notes Defiant.
Related: A popular WordPress security plugin is used to log text passwords
Related: 200,000 WordPress Sites Vulnerable to Vulnerability in ‘Ultimate Member’ Plugin
Related: Critical WordPress plugin vulnerabilities affect thousands of websites.