Apparently, New Year's Eve is not up to updates, especially when online stores on WordPress are actively selling gift cards through the popular plugin YITH WooCommerce Gift Cards Premium.
As it turned out, hackers who study the network and exploit the critical vulnerability of the CVE-2022-45359 plugin with a rating of 9.8 on CVSS, which allows unauthorized users to upload files to vulnerable resources, providing themselves with full control, are no less active.
According to the classics of the genre, everything about WordPress is always famous for the scale of threats and the error in YITH WooCommerce Gift Cards Premium is no exception, since the plugin is used on more than 50,000 sites.
The vulnerability was discovered on November 22 and affects all versions of the plugin up to 3.19.0.
The patch appeared as part of version 3.20.0, but since then the manufacturer has already released version 3.21.0 and now strongly recommends updating to it.
Wordfence researchers report that many sites still use a vulnerable version of the plugin, which unfortunately has not been ignored by attackers who are exploiting the bug in full swing to download backdoors, RCE and hijack other people's sites.
Experts have disassembled the exploit used by hackers and found out that the root of the problem lies in the import_actions_from_settings_panel function, which is associated with the admin_init hook.
In addition, this function does not perform CSRF and capability checks, which ultimately allows you to send POST requests to /wp-admin/admin-post.php to upload malicious executable PHP files to the site. In the logs, this is displayed as unexpected POST requests from unknown IP addresses.
Wordfence found out that hackers uploaded the following files to vulnerable sites:
• kon.php/1tes.php - loads into memory a copy of the marijuana shell file manager from a remote source (shell.prinsh[.]com);
• b.php — simple loader file;
• admin.php — password protected backdoor.
Analysts report that most of the attacks occurred in November before administrators had time to fix the vulnerability, but the second peak of hacks occurred on December 14, 2022.
The attacks continue to this day, and therefore it is necessary to update YITH WooCommerce Gift Cards Premium to version 3.21 as soon as possible.