A critical flaw in the WordPress WooCommerce Payments plug-in has been exploited by attackers in a series of targeted attacks over the past few days, according to researchers. The attacks reached a peak on July 15, with 1.3 million attempts made against 157,000 sites. The flaw, known as CVE-2023-28121 and rated as 9.8 out of 10 on the CVSS vulnerability rating scale, was discovered by researcher Michael Mazzolini of GoldNetwork in March while conducting white-hat testing through WooCommerce’s HackerOne program. Exploit code quickly followed, with RCE Security releasing a blog post earlier this month providing details on how to take advantage of the flaw.
The vulnerability specifically affects the WooCommerce Payments plugin for WordPress, versions 5.6.1 and lower. It allows an unauthenticated attacker to elevate privileges and send requests on behalf of an administrator, thereby gaining admin access to affected sites. WooCommerce Payments, which enables online stores to accept payments through credit cards, debit cards, and Apple Pay, is installed on over 600,000 sites. While the payment plugin has been previously targeted in Magecart skimming attacks, the recent exploitation of the flaw appears to be highly targeted and not part of a wider attack.
WooCommerce promptly patched the vulnerability through an auto-update for WordPress sites running WooCommerce Payments 4.8.0 through 5.6.1. However, users with affected versions on non-WordPress.com platforms needed to manually install the update in order to protect their sites. Unfortunately, many users did not install the patch, leaving their sites vulnerable to attack.
The recent attacks on these vulnerable sites have caught the attention of cybersecurity firm Wordfence. Unlike previous large-scale campaigns that indiscriminately targeted millions of sites, this particular attack seems to be focused on a smaller subset of websites. Wordfence researchers observed a surge in plugin enumeration requests several days before the main wave of attacks. These requests searched for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites. The majority of the actual attacks originated from a handful of IP addresses, but the readme.txt requests came from thousands of IP addresses. Approximately 5,000 IP addresses were responsible for both the readme.txt requests and the actual attacks.
All the exploits targeting the WooCommerce Payments vulnerability shared a common header, X-Wcpay-Platform-Checkout-User: 1. This header caused vulnerable sites to treat additional payloads as coming from an admin, enabling attackers to install the WP Console plugin. This plugin allows administrators to execute code on a site, providing the attackers with the ability to execute malicious code and establish persistence on the compromised sites. Attackers were also observed creating malicious admin users with randomized usernames, further compromising the affected sites.
The exploit attack, as outlined by hacker Julien Ahrens of RCE Security, targets a vulnerability in the determine_current_user_for_platform_checkout() function. By setting the X-WCPAY-PLATFORM-CHECKOUT-USER request header and pointing it to a specific userId, an attacker can trick WordPress into thinking an unauthenticated user is authenticated, gaining admin privileges. Once admin impersonation is achieved, the entire WordPress instance can be compromised, allowing the attacker to take control of the site.
To prevent website compromise, users are encouraged to update the WooCommerce Payments plugin to the latest version, which includes the necessary patch for the vulnerability. Additionally, users should check for any unexpected admin users or posts on their sites and update admin passwords. API keys used on the site, including the WooCommerce API key, should also be rotated as a precautionary measure.
As the attacks on WordPress WooCommerce Payments highlight, it is crucial for website owners to stay vigilant and ensure they have the latest security patches installed. By promptly updating plugins and following best practices for website security, users can minimize the risk of falling victim to potent attacks like these.