Hackers Exploit Critical WooCommerce Payments Bug

According to a recent post by Ram Gall, a threat analyst at the WordPress security firm Wordfence, an undisclosed group of hackers have initiated a campaign targeting a recently disclosed vulnerability in the WooCommerce Payments plugin. The campaign began on July 14th, with the intensity of the attacks reaching its climax on July 16th, when approximately 1.3 million attacks targeted 157,000 websites in a single day.

The critical vulnerability (named CVE-2023-28121) was identified by developers on March 23rd, 2023. The vulnerability was given a CVSS score (Common Vulnerability Scoring System) of 9.8, deeming it as “Critical” in severity. This is because the vulnerability allows unauthenticated attackers to gain administrative privileges on vulnerable websites.

Although WooCommerce initially stated that there were no known instances of active exploitation of the vulnerability at the time, researchers cautioned that given the critical nature of the bug, it was highly probable that we would witness exploitation in the future.

This vulnerability specifically impacts WooCommerce Payment plugin versions 4.8.0 and above. When the bug was first disclosed, the developers behind the WooCommerce Payments plugin promptly released version 5.6.2 to patch the vulnerability. The fix is implemented in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, as well as any subsequent releases.

Due to the severity of the vulnerability, which enables remote users to impersonate administrators and gain full control over WordPress sites, Automattic took the proactive step of force-installing the security fix on WordPress installations that utilized the affected plugin. However, this automatic update was not applied to WordPress sites that were hosted on the user’s own servers. In such cases, a manual update was required.

Due to this, many website owners failed to update their plugin with this critical patch, leaving their sites vulnerable to attack.