Hackers are actively targeting a critical flaw in YITH WooCommerce Gift Cards Premium, a WordPress plugin used on over 50,000 websites.

YITH WooCommerce Gift Cards Premium is a plugin for website operators to sell gift cards in their online stores.

Vulnerability exploit, tracked as CVE-2022-45359 (CVSS v3: 9.8), allows unauthenticated attackers to upload files to vulnerable sites, including web shells that provide full site access.

CVE-2022-45359 was released to the public on November 22, 2022, impacting all plugin versions up to 3.19.0. The security update that fixed the issue was version 3.20.0, while the vendor has already released version 3.21.0, which is the recommended upgrade target.

Unfortunately, many sites still use the old vulnerable version, and hackers have already designed a working exploit to attack them.

According to WordPress security experts at Wordfence, the exploitation effort is well advanced, with hackers exploiting the vulnerability to upload backdoors to sites, achieve remote code execution, and perform takeover attacks.

Actively exploited in attacks

Wordfence reverse-engineered an exploit that hackers use in attacks, finding that the problem lies with the plugin’s “import_actions_from_settings_panel” function that runs on the “admin_init” hook.

Additionally, this function does not perform CSRF or capability checks in vulnerable versions.

Both of these issues allow unauthenticated attackers to send POST requests to “/wp-admin/admin-post.php” using appropriate parameters to upload a malicious PHP executable to the site.

“It is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.” – Closing words.
Exploit code
Exploit code CVE-2022-45359 (Wordfence)

Malicious requests appear in the logs as unexpected POST requests from unknown IP addresses, which should be a sign to site administrators that they are under attack.

The downloaded files spotted by Wordfence are as follows:

  • kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager into memory from a remote location (shell[.]prinsh[.]com)
  • b.php – simple download file
  • admin.php – password protected backdoor

Analysts report that most of the attacks happened in November before administrators could fix the flaw, but a second peak was observed on December 14, 2022.

The 103.138.108.15 IP address was a major source of attacks, launching 19,604 exploit attempts against 10,936 websites. The second largest IP address is 188.66.0.135, which led to 1,220 attacks against 928 WordPress sites.

Exploit attempts are still ongoing, so YITH WooCommerce Gift Cards Premium Plugin users are recommended to upgrade to 3.21 as soon as possible.



Source link