PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild

2022-12-22T17:23:55

Description

The Wordfence Threat Intelligence team has been tracking exploits targeting a [Critical Severity Arbitrary File Upload vulnerability](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yith-woocommerce-gift-cards-premium/yith-woocommerce-gift-cards-premium-3190-unauthenticated-arbitrary-file-upload>) in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor. The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site. All Wordfence customers, including [Wordfence Premium](<https://www.wordfence.com/products/wordfence-premium/>), [Care](<https://www.wordfence.com/products/wordfence-care/>), and [Response](<https://www.wordfence.com/products/wordfence-response/>) customers as well as [Wordfence free](<https://www.wordfence.com/products/wordfence-free/>) users, are protected against exploits targeting this vulnerability by the Wordfence firewall’s built-in file upload rules which prevent the upload of files with known dangerous extensions, files containing executable PHP code, and known malicious files. We highly recommend updating to the latest version of the plugin, which is 3.21.0 at the time of this writing. * * * **Description**: Unauthenticated Arbitrary File Upload **Affected Plugin: **Yith WooCommerce Gift Cards Premium **Plugin Slug**: yith-woocommerce-gift-cards-premium **Affected Versions**: <= 3.19.0 **CVE ID**: [CVE-2022-45359](<https://vulners.com/cve/CVE-2022-45359>) **CVSS Score**: 9.8 (Critical) **CVSS Vector**: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) **Researcher/s**: Dave Jong **Fully Patched Version**: 3.20.0 We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time. The issue lies in the `import_actions_from_settings_panel` function which runs on the `admin_init` hook. Since `admin_init` runs for _any_ page in the `/wp-admin/` directory, it is possible to trigger functions that run on `admin_init` as an unauthenticated attacker by sending a request to `/wp-admin/admin-post.php`. Since the `import_actions_from_settings_panel` function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a `page` parameter set to `yith_woocommerce_gift_cards_panel`, a `ywgc_safe_submit_field` parameter set to `importing_gift_cards`, and a payload in the `file_import_csv` file parameter. Since the function also does not perform any file type checks, _any_ file type including executable PHP files can be uploaded. public function import_actions_from_settings_panel() { if ( ! isset( $_REQUEST['page'] ) || 'yith_woocommerce_gift_cards_panel' != $_REQUEST['page'] || ! isset( $_REQUEST['ywgc_safe_submit_field'] ) ) { return; } if ( $_REQUEST['ywgc_safe_submit_field'] == 'importing_gift_cards' ) { if ( ! isset( $_FILES['file_import_csv'] ) || ! is_uploaded_file( $_FILES['file_import_csv']['tmp_name'] ) ) { return; } $uploaddir = wp_upload_dir(); $temp_name = $_FILES['file_import_csv']['tmp_name']; $file_name = $_FILES['file_import_csv']['name']; if ( ! move_uploaded_file( $temp_name, $uploaddir['basedir'] . '\\' . $file_name ) ) { return; } $this->import_from_csv( $uploaddir['basedir'] . '\\' . $file_name, get_option( 'ywgc_csv_delimitier', ';' ) ); } } ## Cyber Observables These attacks may appear in your logs as unexpected `POST` requests to `wp-admin/admin-post.php` from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed): `kon.php`/`1tes.php` - this file loads a copy of the “marijuana shell” file manager in memory from a remote location at `shell[.]prinsh[.]com` and has a normalized sha256 hash of `1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c` `b.php` - this file is a simple uploader with a normalized sha256 hash of `3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19` `admin.php` - this file is a password-protected backdoor and has a normalized sha256 hash of `8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d` Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses: `103.138.108.15`, which sent out 19604 attacks against 10936 different sites and `188.66.0.135`, which sent 1220 attacks against 928 sites. The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future. ## Recommendations If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via[ Wordfence Care](<https://www.wordfence.com/products/wordfence-care/>). If you need your site cleaned immediately, [Wordfence Response](<https://www.wordfence.com/products/wordfence-response/>) offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible. If you are a security researcher, you can [responsibly disclose your finds to us and obtain a CVE ID](<https://www.wordfence.com/request-cve/>) and get your name on the [Wordfence Intelligence Community Edition leaderboard](<https://www.wordfence.com/threat-intel/vulnerabilities/researchers/>). The post [PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild](<https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/>) appeared first on [Wordfence](<https://www.wordfence.com>).

{"id": "WORDFENCE:5343D1D578DFD9F1154EBACA613EDA12", "vendorId": null, "type": "wordfence", "bulletinFamily": "info", "title": "PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild", "description": "The Wordfence Threat Intelligence team has been tracking exploits targeting a [Critical Severity Arbitrary File Upload vulnerability](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yith-woocommerce-gift-cards-premium/yith-woocommerce-gift-cards-premium-3190-unauthenticated-arbitrary-file-upload>) in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.\n\nThe vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site.\n\nAll Wordfence customers, including [Wordfence Premium](<https://www.wordfence.com/products/wordfence-premium/>), [Care](<https://www.wordfence.com/products/wordfence-care/>), and [Response](<https://www.wordfence.com/products/wordfence-response/>) customers as well as [Wordfence free](<https://www.wordfence.com/products/wordfence-free/>) users, are protected against exploits targeting this vulnerability by the Wordfence firewall\u2019s built-in file upload rules which prevent the upload of files with known dangerous extensions, files containing executable PHP code, and known malicious files.\n\nWe highly recommend updating to the latest version of the plugin, which is 3.21.0 at the time of this writing.\n\n* * *\n\n**Description**: Unauthenticated Arbitrary File Upload \n**Affected Plugin: **Yith WooCommerce Gift Cards Premium \n**Plugin Slug**: yith-woocommerce-gift-cards-premium \n**Affected Versions**: <= 3.19.0 \n**CVE ID**: [CVE-2022-45359](<https://vulners.com/cve/CVE-2022-45359>) \n**CVSS Score**: 9.8 (Critical) \n**CVSS Vector**: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n**Researcher/s**: Dave Jong \n**Fully Patched Version**: 3.20.0\n\nWe were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.\n\nThe issue lies in the `import_actions_from_settings_panel` function which runs on the `admin_init` hook.\n\nSince `admin_init` runs for _any_ page in the `/wp-admin/` directory, it is possible to trigger functions that run on `admin_init` as an unauthenticated attacker by sending a request to `/wp-admin/admin-post.php`.\n\nSince the `import_actions_from_settings_panel` function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a `page` parameter set to `yith_woocommerce_gift_cards_panel`, a `ywgc_safe_submit_field` parameter set to `importing_gift_cards`, and a payload in the `file_import_csv` file parameter.\n\nSince the function also does not perform any file type checks, _any_ file type including executable PHP files can be uploaded.\n \n \n \t\tpublic function import_actions_from_settings_panel() {\n \n \t\t\tif ( ! isset( $_REQUEST['page'] ) || 'yith_woocommerce_gift_cards_panel' != $_REQUEST['page'] || ! isset( $_REQUEST['ywgc_safe_submit_field'] ) ) {\n \t\t\t\treturn;\n \t\t\t}\n \n \t\t\tif ( $_REQUEST['ywgc_safe_submit_field'] == 'importing_gift_cards' ) {\n \n \n \t\t\t\tif ( ! isset( $_FILES['file_import_csv'] ) || ! is_uploaded_file( $_FILES['file_import_csv']['tmp_name'] ) ) {\n \t\t\t\t\treturn;\n \t\t\t\t}\n \n \t\t\t\t$uploaddir = wp_upload_dir();\n \n \t\t\t\t$temp_name = $_FILES['file_import_csv']['tmp_name'];\n \t\t\t\t$file_name = $_FILES['file_import_csv']['name'];\n \n \t\t\t\tif ( ! move_uploaded_file( $temp_name, $uploaddir['basedir'] . '\\\\' . $file_name ) ) {\n \t\t\t\t\treturn;\n \t\t\t\t}\n \n \t\t\t\t$this->import_from_csv( $uploaddir['basedir'] . '\\\\' . $file_name, get_option( 'ywgc_csv_delimitier', ';' ) );\n \n \t\t\t}\n \n \t\t}\n\n## Cyber Observables\n\nThese attacks may appear in your logs as unexpected `POST` requests to `wp-admin/admin-post.php` from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):\n\n`kon.php`/`1tes.php` - this file loads a copy of the \u201cmarijuana shell\u201d file manager in memory from a remote location at `shell[.]prinsh[.]com` and has a normalized sha256 hash of `1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c`\n\n`b.php` - this file is a simple uploader with a normalized sha256 hash of `3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19`\n\n`admin.php` - this file is a password-protected backdoor and has a normalized sha256 hash of `8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d`\n\nAlthough we\u2019ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:\n\n`103.138.108.15`, which sent out 19604 attacks against 10936 different sites \nand \n`188.66.0.135`, which sent 1220 attacks against 928 sites.\n\nThe majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.\n\n## Recommendations\n\nIf you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.\n\nIf you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via[ Wordfence Care](<https://www.wordfence.com/products/wordfence-care/>). If you need your site cleaned immediately, [Wordfence Response](<https://www.wordfence.com/products/wordfence-response/>) offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.\n\nIf you are a security researcher, you can [responsibly disclose your finds to us and obtain a CVE ID](<https://www.wordfence.com/request-cve/>) and get your name on the [Wordfence Intelligence Community Edition leaderboard](<https://www.wordfence.com/threat-intel/vulnerabilities/researchers/>).\n\nThe post [PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild](<https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/>) appeared first on [Wordfence](<https://www.wordfence.com>).", "published": "2022-12-22T17:23:55", "modified": "2022-12-22T17:23:55", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/", "reporter": "Ram Gall", "references": [], "cvelist": ["CVE-2022-45359"], "immutableFields": [], "lastseen": "2023-02-08T16:15:08", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:8B976458-79DA-41AF-A310-040F852E128F"]}, {"type": "cve", "idList": ["CVE-2022-45359"]}, {"type": "hivepro", "idList": ["HIVEPRO:69364D063D4532AE3FB1D024C7F38417"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_113485"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:170329"]}, {"type": "patchstack", "idList": ["PATCHSTACK:0A9AED21E0B6EC4BF52D867C70F69817"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E8F8BDC0-AC53-4B14-B34C-4930076711CE"]}, {"type": "zdt", "idList": ["1337DAY-ID-38127"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-45359", "epss": "0.002060000", "percentile": "0.568120000", "modified": "2023-03-20"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1675873329, "score": 1675873208, "epss": 1679354432}, "_internal": {"score_hash": "e7733f58373dd692c9b4f14429e8dbc5"}}

{"attackerkb": [{"lastseen": "2023-01-20T20:06:36", "description": "Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-20T00:00:00", "type": "attackerkb", "title": "CVE-2022-45359", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2023-01-20T00:00:00", "id": "AKB:8B976458-79DA-41AF-A310-040F852E128F", "href": "https://attackerkb.com/topics/7wuQyiTd8t/cve-2022-45359", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2022-12-23T16:00:06", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-23T00:00:00", "type": "packetstorm", "title": "WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-12-23T00:00:00", "id": "PACKETSTORM:170329", "href": "https://packetstormsecurity.com/files/170329/WordPress-Yith-WooCommerce-Gift-Cards-Premium-3.19.0-Shell-Upload.html", "sourceData": "`Description: Unauthenticated Arbitrary File Upload \n \nAffected Plugin: Yith WooCommerce Gift Cards Premium \n \nPlugin Slug: yith-woocommerce-gift-cards-premium \n \nAffected Versions: <= 3.19.0 \n \nCVE ID: CVE-2022-45359 \n \nCVSS Score: 9.8 (Critical) \n \nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N \n \nResearcher/s: Dave Jong \n \nFully Patched Version: 3.20.0 \n \nWe were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time. \n \nThe issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook. \n \nSince admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php. \n \nSince the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter. \n \nSince the function also does not perform any file type checks, any file type including executable PHP files can be uploaded. \n \n \nCyber Observables \n \nThese attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed): \n \nkon.php/1tes.php \u2013 this file loads a copy of the \u201cmarijuana shell\u201d file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c \n \nb.php \u2013 this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19 \n \nadmin.php \u2013 this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d \n \nAlthough we\u2019ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses: \n \n103.138.108.15, which sent out 19604 attacks against 10936 different sites \n \nand \n \n188.66.0.135, which sent 1220 attacks against 928 sites. \n \nThe majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future. \n \nRecommendations \n \nIf you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways. \n \nIf you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. \n \nIf you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible. \n \nIf you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/170329/wpywcgcp3190-shell.txt"}], "zdt": [{"lastseen": "2022-12-24T12:53:25", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-24T00:00:00", "type": "zdt", "title": "WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-12-24T00:00:00", "id": "1337DAY-ID-38127", "href": "https://0day.today/exploit/description/38127", "sourceData": "Description: Unauthenticated Arbitrary File Upload\n\nAffected Plugin: Yith WooCommerce Gift Cards Premium\n\nPlugin Slug: yith-woocommerce-gift-cards-premium\n\nAffected Versions: <= 3.19.0\n\nCVE ID: CVE-2022-45359\n\nCVSS Score: 9.8 (Critical)\n\nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\n\nResearcher/s: Dave Jong\n\nFully Patched Version: 3.20.0\n\nWe were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.\n\nThe issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.\n\nSince admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.\n\nSince the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.\n\nSince the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.\n\n\nCyber Observables\n\nThese attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):\n\nkon.php/1tes.php \u2013 this file loads a copy of the \u201cmarijuana shell\u201d file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c\n\nb.php \u2013 this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19\n\nadmin.php \u2013 this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d\n\nAlthough we\u2019ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:\n\n103.138.108.15, which sent out 19604 attacks against 10936 different sites\n\nand\n\n188.66.0.135, which sent 1220 attacks against 928 sites.\n\nThe majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.\n\nRecommendations\n\nIf you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.\n\nIf you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.\n\nIf you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.\n\nIf you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.\n", "sourceHref": "https://0day.today/exploit/38127", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2022-12-30T15:55:09", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Malicious actors are actively exploiting a critical vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin in order to plant backdoors on e-Commerce sites. The security flaw (CVE-2022-45359) exists due to the "import actions from settings panel" function, which runs on the "admin init" hook. Additionally, this function does not perform capability and CSRF checks, allowing unauthenticated attackers to upload files to vulnerable sites, including web shells that provide full site access. Over 50,000 websites continue to use vulnerable versions of the plugin, enabling threat actors to exploit the bug and plant a backdoor to perform remote code execution attacks.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-30T13:36:36", "type": "hivepro", "title": "WordPress plugin has been exploited in the wild to mount backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-12-30T13:36:36", "id": "HIVEPRO:69364D063D4532AE3FB1D024C7F38417", "href": "https://www.hivepro.com/wordpress-plugin-has-been-exploited-in-the-wild-to-mount-backdoors/", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpvulndb": [{"lastseen": "2022-12-14T02:47:14", "description": "The plugin does not validate files to be uploaded, allowing unauthenticated attackers to upload arbitrary files, such as PHP\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-06T00:00:00", "type": "wpvulndb", "title": "YITH WooCommerce Gift Cards < 3.20.0 - Unauthenticated Arbitrary File Upload", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-12-06T21:11:04", "id": "WPVDB-ID:E8F8BDC0-AC53-4B14-B34C-4930076711CE", "href": "https://wpscan.com/vulnerability/e8f8bdc0-ac53-4b14-b34c-4930076711ce", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-02-09T14:48:20", "description": "Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-06T21:15:00", "type": "cve", "title": "CVE-2022-45359", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-12-07T21:50:00", "cpe": ["cpe:/a:yithemes:yith_woocommerce_gift_cards:3.19.0"], "id": "CVE-2022-45359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45359", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:yithemes:yith_woocommerce_gift_cards:3.19.0:*:*:*:premium:wordpress:*:*"]}], "patchstack": [{"lastseen": "2022-11-22T18:05:50", "description": " Unauth. Arbitrary File Upload vulnerability discovered by Dave Jong (Patchstack) in WordPress YITH WooCommerce Gift Cards Premium plugin (versions <= 3.19.0).\n\n## Solution\n\n\r\n Update the WordPress YITH WooCommerce Gift Cards Premium plugin to the latest available version (at least 3.20.0).\r\n ", "cvss3": {}, "published": "2022-11-22T00:00:00", "type": "patchstack", "title": "WordPress YITH WooCommerce Gift Cards Premium plugin <= 3.19.0 - Unauth. Arbitrary File Upload vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2022-11-22T00:00:00", "id": "PATCHSTACK:0A9AED21E0B6EC4BF52D867C70F69817", "href": "https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-19-0-unauth-arbitrary-file-upload-vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-12T05:12:24", "description": "The WordPress YITH WooCommerce Gift Cards Premium Plugin installed on the remote host is affected by an Arbitrary File Upload.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-03T00:00:00", "type": "nessus", "title": "YITH WooCommerce Gift Cards Premium Plugin for WordPress < 3.20.0 Arbitrary File Upload", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-45359"], "modified": "2023-01-03T00:00:00", "cpe": ["cpe:2.3:a:yithemes:yith_woocommerce_gift_cards:*:*:*:*:premium:wordpress:*:*"], "id": "WEB_APPLICATION_SCANNING_113485", "href": "https://www.tenable.com/plugins/was/113485", "sourceData": "No source data", "cvss": {"score": 0.0, "vector": "NONE"}}]}

PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild

Description

Related