Hackers are widely exploiting an essential WooCommerce Payments plugin to gain privileges for all users, including administrators, on a vulnerable WordPress installation.

WooCommerce Payments is a very popular WordPress plugin for websites to accept credit and debit cards as payment in WooCommerce stores. According WordPressthe plugin is used on more than 600,000 active installs.

On March 23, 2023, the liberated developers version 5.6.2 to fix the critical vulnerability rated 9.8 identified as CVE-2023-28121. The flaw affects versions 4.8.0 and above of the WooCommerce Payment plugin, and is fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1 , 5.5.2. , 5.6.2 and later.

As the vulnerability allows any remote user to impersonate an administrator and take full control of a WordPress site, Auto force installed security patch WordPress installations using the plugin.

At the time, WooCommerce said there were no known active exploits for the vulnerability, but researchers warned that due to the critical nature of the bug, we would likely see an exploit in the future.

Actively Exploited Flaw

This month, RCE Security researchers analyzed the bug and published a tech blog about the CVE-2023-28121 vulnerability and how it can be exploited.

The researchers explain that attackers can simply add a ‘X-WCPAY-PLATFORM-CHECKOUT-USER‘ request header and set it to the user ID of the account they want to borrow.

When WooCommerce Payments sees this header, it treats the request as if it came from the specified user ID, including all user privileges.

As part of the blog post, RCE Security released a proof-of-concept exploit that uses this flaw to create a new admin user on vulnerable WordPress sites, making it easy for hackers to take full control of the site.

Today, WordPress security firm Wordfence warned that threat actors were exploiting the vulnerability in a massive campaign targeting over 157,000 sites by Saturday.

“Large-scale attacks against the vulnerability, attributed CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday July 16, 2023”, explains Closing words.

Wordfence says threat actors use the exploit to install the WP Console Plugin or create administrator accounts on the targeted device.

For systems where WP Console was installed, threat actors used the plugin to execute PHP code that installs a file downloader on the server that can be used as a backdoor even after the vulnerability is fixed.

Wordfence says it has seen other attackers use the exploit to create administrator accounts with random passwords.

To scan for vulnerable WordPress sites, hackers try to access the ‘/wp-content/plugins/woocommerce-payments/readme.txt’ file, and if it exists, they exploit the flaw.

The researchers shared seven IP addresses responsible for these attacks, with IP address 194.169.175.93 scanning 213,212 sites.

BleepingComputer saw similar activity in our access logs starting July 12.

Due to the ease with which CVE-2023-28121 can be exploited, all sites using the WooCommerce Payment plugin are strongly advised to ensure that their installations are up to date.

If you haven’t updated your installation recently, site administrators are also advised to scan their sites for unusual PHP files and suspicious administrator accounts and remove any that are found.