Malicious threat groups currently target a critical WordPress gift card plugin bug that owners use on over 50,000 sites. Based on reports, the affected feature is called YITH WooCommerce Gift Cards Premium, a plugin website admins use to sell gift cards in their online stores.
The vulnerability allows unauthenticated hackers to upload files to prone websites, including web shells and give full access to the website.
Researchers said the flaw is CVE-2022-45359, which impacts all plugin versions up to 3[.]19[.]0. Fortunately, the security patch that fixed the issue was version 3[.]20[.]0, while the vendor has already published the 3[.]21[.]0, which is the recommended upgrade target.
However, most website owners still utilise the older version, and the attackers have already created an efficient exploit to abuse the bug.
Experts explained that the hackers use the WordPress gift card plugin as a vector for illegal activities.
WordPress security experts said that the exploitation effort from hackers is now operating to abuse the WordPress gift card plugin flaw. These miscreants leverage the flaw to upload backdoors on targeted websites, acquire RCE, and execute takeover campaigns.
The researchers reverse-engineered a sample exploit, which the hackers used in their attacks and discovered that the issue was within the plugin’s “import_actions_from_settings_panel” feature. The function runs on the admin_init hook and does not perform capability checks in exploited versions.
These issues provide unauthenticated attackers to send POST requests to “/wp-admin/admin-post[.]php” via corresponding parameters to upload a compromised PHP executable on the targeted website.
The infectious requests appear on logs as unexpected POST requests from unidentified IP addresses, which should be a red flag for admins that something is happening with their websites.
Several analysts reported that most attacks they saw happened last month before administrators could release an update to fix the vulnerability. Additionally, the second surge of attacks was noticed by researchers earlier this month.
Currently, the exploitation attacks are still operational. Therefore, users of the YITH WooCommerce Gift Cards Premium plugin are urged by researchers to update their software to version 3[.]21 immediately.
