A critical vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin, which is installed on over 50,000 websites, is actively being targeted by hackers.
Website owners can sell gift cards in their online stores using the plugin YITH WooCommerce Gift Cards Premium, according to Bleeping Computer.
The Bug Targets Every Plug In Version
An exploit for a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium has been monitored by the Wordfence Threat Intelligence team.
Unauthorized attackers can upload files to vulnerable websites, including web shells that grant full site access, by taking advantage of the vulnerability cataloged as CVE-2022-45359.
On November 22, CVE-2022-45359 was made public, and was announced to have been affecting all plugin versions up to 3.19.0.
Version 3.20.0 of the vendor's security update, which fixed the issue, has since been replaced by version 3.21.0, which is the suggested upgrade point.
Unfortunately, a lot of websites continue to use the outdated, weak version, and attackers have already created a successful exploit to target them.
WordPress security specialists at Wordfence claim that the exploitation effort is well under way and that hackers are using the vulnerability to upload backdoors on the websites, obtain remote code execution, and launch takeover attacks.
The Wordfence firewall's built-in file upload rules shield all Wordfence customers, including Wordfence Premium, Care, and Response customers as well as Wordfence free users, from exploits focusing on this vulnerability.
These guidelines forbid the upload of files with known harmful extensions, files that contain PHP executable code, and files that are known to be malicious, Wordfence writes.
Read More: Chinese Hackers Disguise Malware using Google Drive to Target Organizations
The Exploitation Are Still Being Executed By Hackers
According to reports, Wordfence was able to reverse-engineer the exploit using attack data and a copy of the vulnerable plugin, and they are now disclosing details about its operation.
This is due to the fact that a patch has been available for a while and that this vulnerability is already being used in the wild.
The function called import_actions_from_settings_panel, which is called by the admin_init hook, is where the problem is.
Additionally, in vulnerable versions, this function does not run CSRF or capability checks, Bleeping Computer says.
Sending a request to /wp-admin/admin-post.php as an unauthenticated attacker will cause functions that run on admin init to be activated because admin init runs for any page in the /wp-admin/ directory.
The fact that the malicious requests show up on logs as unexpected POST requests coming from unknown IP addresses should alert site administrators to an attack.
The majority of attacks, according to the analysts, took place in November before administrators could fix the vulnerability, but a second peak was noticed on December 14.
Users of the YITH WooCommerce Gift Cards Premium plugin are advised to update as soon as possible to version 3.21 due to the ongoing exploitation attempts, Wordfence details.
Related Article: Kaiser Permanente Hack: Health Data of 69,000 People Exposed - How Did It Happen