Hackers Exploiting Flaw In WooCommerce Payments Plugin To Gain Admin Access
Hackers have been exploiting a critical vulnerability in the WooCommerce Payments plugin to gain unauthorized access to WordPress sites.
The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8.
The vast majority of actual attacks come from the following IP addresses:
188.8.131.52– 213,212 sites attacked
2a10:cc45:100::5474:5a49:bfd6:2007– 90,157 sites attacked
184.108.40.206– 27,346 sites attacked
220.127.116.11– 14,799 sites attacked
18.104.22.168– 14,619 sites attacked
22.214.171.124– 14,509 sites attacked
126.96.36.199– 13,491 sites attacked
Common to all exploits targeting the WooCommerce Payments vulnerability is the following header which causes vulnerable sites to treat any additional payloads as coming from an administrative user:
Many of the requests Wordfence has seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site:
Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence:
The payload in this particular example has an MD5 hash of fb1fd5d5ac7128bf23378ef3e238baba when saved to the victim filesystem, and the Wordfence scanner has provided detection for it since at least July 2021:
If you use the WooCommerce Payments plugin, please update to the latest version as soon as possible. You can also check your site for newly added admin users, and if you see any that you don’t recognize, change your password and rotate your payment gateway and WooCommerce API keys.