PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild


The Wordfence Threat Intelligence team has been tracking exploits targeting a [Critical Severity Arbitrary File Upload vulnerability](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yith-woocommerce-gift-cards-premium/yith-woocommerce-gift-cards-premium-3190-unauthenticated-arbitrary-file-upload>) in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor. The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site. All Wordfence customers, including [Wordfence Premium](<https://www.wordfence.com/products/wordfence-premium/>), [Care](<https://www.wordfence.com/products/wordfence-care/>), and [Response](<https://www.wordfence.com/products/wordfence-response/>) customers as well as [Wordfence free](<https://www.wordfence.com/products/wordfence-free/>) users, are protected against exploits targeting this vulnerability by the Wordfence firewall’s built-in file upload rules which prevent the upload of files with known dangerous extensions, files containing executable PHP code, and known malicious files. We highly recommend updating to the latest version of the plugin, which is 3.21.0 at the time of this writing. * * * **Description**: Unauthenticated Arbitrary File Upload **Affected Plugin: **Yith WooCommerce Gift Cards Premium **Plugin Slug**: yith-woocommerce-gift-cards-premium **Affected Versions**: <= 3.19.0 **CVE ID**: [CVE-2022-45359](<https://vulners.com/cve/CVE-2022-45359>) **CVSS Score**: 9.8 (Critical) **CVSS Vector**: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) **Researcher/s**: Dave Jong **Fully Patched Version**: 3.20.0 We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time. The issue lies in the `import_actions_from_settings_panel` function which runs on the `admin_init` hook. Since `admin_init` runs for _any_ page in the `/wp-admin/` directory, it is possible to trigger functions that run on `admin_init` as an unauthenticated attacker by sending a request to `/wp-admin/admin-post.php`. Since the `import_actions_from_settings_panel` function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a `page` parameter set to `yith_woocommerce_gift_cards_panel`, a `ywgc_safe_submit_field` parameter set to `importing_gift_cards`, and a payload in the `file_import_csv` file parameter. Since the function also does not perform any file type checks, _any_ file type including executable PHP files can be uploaded. public function import_actions_from_settings_panel() { if ( ! isset( $_REQUEST['page'] ) || 'yith_woocommerce_gift_cards_panel' != $_REQUEST['page'] || ! isset( $_REQUEST['ywgc_safe_submit_field'] ) ) { return; } if ( $_REQUEST['ywgc_safe_submit_field'] == 'importing_gift_cards' ) { if ( ! isset( $_FILES['file_import_csv'] ) || ! is_uploaded_file( $_FILES['file_import_csv']['tmp_name'] ) ) { return; } $uploaddir = wp_upload_dir(); $temp_name = $_FILES['file_import_csv']['tmp_name']; $file_name = $_FILES['file_import_csv']['name']; if ( ! move_uploaded_file( $temp_name, $uploaddir['basedir'] . '\\' . $file_name ) ) { return; } $this->import_from_csv( $uploaddir['basedir'] . '\\' . $file_name, get_option( 'ywgc_csv_delimitier', ';' ) ); } } ## Cyber Observables These attacks may appear in your logs as unexpected `POST` requests to `wp-admin/admin-post.php` from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed): `kon.php`/`1tes.php` - this file loads a copy of the “marijuana shell” file manager in memory from a remote location at `shell[.]prinsh[.]com` and has a normalized sha256 hash of `1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c` `b.php` - this file is a simple uploader with a normalized sha256 hash of `3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19` `admin.php` - this file is a password-protected backdoor and has a normalized sha256 hash of `8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d` Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses: ``, which sent out 19604 attacks against 10936 different sites and ``, which sent 1220 attacks against 928 sites. The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future. ## Recommendations If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via[ Wordfence Care](<https://www.wordfence.com/products/wordfence-care/>). If you need your site cleaned immediately, [Wordfence Response](<https://www.wordfence.com/products/wordfence-response/>) offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible. If you are a security researcher, you can [responsibly disclose your finds to us and obtain a CVE ID](<https://www.wordfence.com/request-cve/>) and get your name on the [Wordfence Intelligence Community Edition leaderboard](<https://www.wordfence.com/threat-intel/vulnerabilities/researchers/>). The post [PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild](<https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/>) appeared first on [Wordfence](<https://www.wordfence.com>).