Hackers have been exploiting a critical vulnerability in the WooCommerce Payments plugin to gain unauthorized access to WordPress sites.
The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8.
Source: RCE Security
The vast majority of actual attacks come from the following IP addresses:
194.169.175.93– 213,212 sites attacked2a10:cc45:100::5474:5a49:bfd6:2007– 90,157 sites attacked103.102.153.17– 27,346 sites attacked79.137.202.106– 14,799 sites attacked193.169.194.63– 14,619 sites attacked79.137.207.224– 14,509 sites attacked193.169.195.64– 13,491 sites attacked
Common to all exploits targeting the WooCommerce Payments vulnerability is the following header which causes vulnerable sites to treat any additional payloads as coming from an administrative user:
X-Wcpay-Platform-Checkout-User: 1
Many of the requests Wordfence has seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site:
Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence:
The payload in this particular example has an MD5 hash of fb1fd5d5ac7128bf23378ef3e238baba when saved to the victim filesystem, and the Wordfence scanner has provided detection for it since at least July 2021:
If you use the WooCommerce Payments plugin, please update to the latest version as soon as possible. You can also check your site for newly added admin users, and if you see any that you don’t recognize, change your password and rotate your payment gateway and WooCommerce API keys.
