9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign.
The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover.
βLarge-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,β Wordfence security researcher Ram Gall said in a Monday post.
Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of the software.
A common denominator observed in the attacks entails the use of the HTTP request header βX-Wcpay-Platform-Checkout-User: 1β that causes susceptible sites to treat any additional payloads as coming from an administrative user.
Wordfence said the aforementioned loophole is being weaponized to deploy the WP Console plugin, which can be used by an administrator to execute malicious code and install a file uploader to set up persistence and backdoor the compromised site.
The disclosure comes as Rapid7 reported that it observed active exploitation of Adobe ColdFusion flaws in multiple customer environments starting July 13, 2023, to deploy web shells on infected endpoints.
βThreat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability,β Rapid7 security researcher Caitlin Condon said. The additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that was addressed in an out-of-band update released on July 14.
UPCOMING WEBINAR
[Shield Against Insider Threats: Master SaaS Security Posture Management
](<https://thn.news/I26t1VFD>)
Worried about insider threats? Weβve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
CVE-2023-29298 (CVSS score: 7.5) concerns an access control bypass vulnerability impacting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.
βThe vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL,β Rapid7 disclosed last week.
Rapid7, however, warned that the fix for CVE-2023-29298 is incomplete and that it could be trivially modified to bypass the patches released by Adobe.
Users are recommended to update to the latest version of Adobe ColdFusion to secure against potential threats, since the fixes put in place to resolve CVE-2023-38203 breaks the exploit chain.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%