Hackers have been exploiting a critical vulnerability in the WooCommerce Payments plugin to gain unauthorized access to WordPress sites.

The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8.

Using the exploit to create the ‘hacked’ administrator account
Source: RCE Security

The vast majority of actual attacks come from the following IP addresses:

  • 194.169.175.93 – 213,212 sites attacked
  • 2a10:cc45:100::5474:5a49:bfd6:2007 – 90,157 sites attacked
  • 103.102.153.17 – 27,346 sites attacked
  • 79.137.202.106 – 14,799 sites attacked
  • 193.169.194.63 – 14,619 sites attacked
  • 79.137.207.224 – 14,509 sites attacked
  • 193.169.195.64 – 13,491 sites attacked

Common to all exploits targeting the WooCommerce Payments vulnerability is the following header which causes vulnerable sites to treat any additional payloads as coming from an administrative user:

X-Wcpay-Platform-Checkout-User: 1

Buy Me a Coffee

Many of the requests Wordfence has seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site:

wp-console install attempt
Pictured: A request attempting to install the wp-console plugin

Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence:

wp-console RCE request
Pictured: A request attempting to use the wp-console plugin to execute malicious code in order to place an uploader

The payload in this particular example has an MD5 hash of fb1fd5d5ac7128bf23378ef3e238baba when saved to the victim filesystem, and the Wordfence scanner has provided detection for it since at least July 2021:

the file uploader payload left by the wp-console request
Pictured: The malicious payload

If you use the WooCommerce Payments plugin, please update to the latest version as soon as possible. You can also check your site for newly added admin users, and if you see any that you don’t recognize, change your password and rotate your payment gateway and WooCommerce API keys.

READ
Ford Investigates Potential Data Breach Involving 44,000 Customer Records