Lucene search

K
thnThe Hacker NewsTHN:F348420D721F0F81C809FDA17D41110A
HistoryJul 18, 2023 - 5:56 a.m.

Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites

2023-07-1805:56:00
The Hacker News
thehackernews.com
39
cybercriminals
woocommerce
flaw
site hijacking
targeted campaign
vulnerable version
http request header
exploited
adobe coldfusion

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.969 High

EPSS

Percentile

99.7%

WooCommerce Payments

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign.

The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover.

β€œLarge-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” Wordfence security researcher Ram Gall said in a Monday post.

Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of the software.

A common denominator observed in the attacks entails the use of the HTTP request header β€œX-Wcpay-Platform-Checkout-User: 1” that causes susceptible sites to treat any additional payloads as coming from an administrative user.

Wordfence said the aforementioned loophole is being weaponized to deploy the WP Console plugin, which can be used by an administrator to execute malicious code and install a file uploader to set up persistence and backdoor the compromised site.

Adobe ColdFusion Flaws Exploited in the Wild

The disclosure comes as Rapid7 reported that it observed active exploitation of Adobe ColdFusion flaws in multiple customer environments starting July 13, 2023, to deploy web shells on infected endpoints.

β€œThreat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability,” Rapid7 security researcher Caitlin Condon said. The additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that was addressed in an out-of-band update released on July 14.

UPCOMING WEBINAR

[Shield Against Insider Threats: Master SaaS Security Posture Management

](<https://thn.news/I26t1VFD&gt;)

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

CVE-2023-29298 (CVSS score: 7.5) concerns an access control bypass vulnerability impacting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.

β€œThe vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL,” Rapid7 disclosed last week.

Rapid7, however, warned that the fix for CVE-2023-29298 is incomplete and that it could be trivially modified to bypass the patches released by Adobe.

Users are recommended to update to the latest version of Adobe ColdFusion to secure against potential threats, since the fixes put in place to resolve CVE-2023-38203 breaks the exploit chain.

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.969 High

EPSS

Percentile

99.7%