WordPress WooCommerce Payments bug exploited in the wild

WordPress sites using the WooCommerce Payments plugin have been targeted in a large-scale attack. The bug allows attackers to obtain administrative privileges, researchers warn.

Attackers are exploiting a critical vulnerability in WooCommerce Payments, a WordPress plugin installed on over 600,000 websites, researchers at security firm Wordfence warned.

The bug, tracked as CVE-2023-28121, has a CVSS score of 9.8, deeming the flaw “critical.” WooCommerce addressed the flaw back in March 2023.

However, not everyone used the patch for the plugin that allows merchants to accept online payments directly on their websites. Researchers say the vulnerability’s exploit allows attackers to hijack the admin privileges of susceptible sites.

“Unlike many other large-scale campaigns, which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites,” researchers claim.

Threat actors targeted hundreds of thousands of websites, with the campaign peaking on July 15th, with 157,000 attack instances. Researchers note that cybercriminals began the campaign by snooping at vulnerable websites first, launching the actual attacks several days after the reconnaissance.

“Many of the requests we’ve seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site,” researchers said.

Once the unauthorized installation is complete, attackers can use it to execute malicious code and establish a presence on the victim’s system. WooCommerce Payments users are strongly advised to scan their systems for unauthorized plugins and admin-level users.

The Cybernews research team has previously warned about the Balada Injector campaign that exploits popular WordPress plugins such as Elementor Pro Premium and WooCommerce. The injector reportedly infected over 1 million individual websites.

More from Cybernews:

How popular AI apps are invading your privacy

$8M cyber scammer gets eight years in US jail

Google’s VirusTotal leaks user details – media

Typo directs millions of US military emails to Mali by mistake

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked