Updated on 2022-12-29: WordPress attacks
A threat actor is using a vulnerability in a WordPress gift card plugin (YITH WooCommerce Gift Cards Premium) to hack and take over WP sites, per Wordfence. The plugin is installed on roughly 50,000 sites, and a security update is available for it. Read more:
Updated on 2022-12-27: WordPress YITH WooCommerce Gift Cards Premium Plug-in Vulnerability
A critical arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plug-in is being actively exploited. The plug-in has more than 50,000 installations. The flaw affects versions of the plug-in up through 3.19.0 and has been addressed in version 3.20.0. Users are urged to install the most recent version of the plug-in.
Note
- The exploit leverages a flaw in the import_actions_from_settings_from_panel which runs admin_init hook meaning the flaw is running as admin, without authentication, so you can pretty much impact anything in the /wp-admin/ directory. The function was lacking a CSRF and capacity/type check. The updated version of the plugin was released December 6th, (3.20.0) and has been updated since, you should be on at least version 3.21.0. Note that while your WAF can help prevent this type of attack by blocking uploads of files with known dangerous extensions, embedded executable PHP code, or known malicious files.
- Note that “premium” does not modify “plug-in.” While some plug-ins may be of higher quality than others, history suggests that, at least collectively, their quality is a problem. Please use them with appropriate caution.
Overview
A critical flaw in YITH WooCommerce Gift Cards Premium WordPress plugin is being exploited to launch backdoors and obtain remote access to the websites. Identified as an arbitrary file upload issue, the flaw has a CVSS score of 9.8 tracked as CVE-2022-45359.