Threat actors have carried out large-scale attacks against hundreds of thousands of WordPress websites, exploiting a recently patched vulnerability in the popular WooCommerce Payments ecommerce plugin.
The campaign, carried out by unidentified hackers, began on July 14 and peaked at 1.3 million attacks against 157,000 sites on July 16, according to a Monday post by Ram Gall, threat analyst at WordPress security firm Wordfence.
WooCommerce Payments is installed on over 600,000 WordPress sites to enable payment processing. The attackers seek to exploit a critical vulnerability, patched in March, that enables adversaries to gain unauthorized administrator access via the plugin.
The vulnerability, tracked as CVE-2023-28121, has a CVSS v3 rating of 9.8, making it “an appealing target” for threat actors, Gall wrote.
“These attacks demonstrate significantly more sophistication than similar attacks we’ve seen in the past, including reconnaissance ahead of the main wave of attacks and multiple methods of maintaining persistence using functionality available to administrator-level users,” he wrote, adding that “Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites.”
Wordfence observed more than 213,000 attacks originating from one IP address: 194.169.175.93, while more than 150,000 further attacks were noted from a handful of other addresses.
Once the threat actors were able to gain administrator privileges, they were often observed attempting to install the WP Console plugin, which can be used to execute malicious code and place a file uploader on a compromised system in order to establish persistence.
Earlier this month, Julien Ahrens of RCE Security published a technical blog analyzing the WooCommerce vulnerability and demonstrating a proof of concept used to exploit it.
“Since we can impersonate administrative users, it is quite easy to compromise the entire WordPress instance,” he wrote.
Gall said Wordfence began seeing “early warning signs” of the threat actor’s campaign prior to the main wave of attacks between July 14 and 16.
The attackers searched millions of sites to see if there was a readme.txt file located in the wp-content/plugins/woocommerce-payments/ directory. If there was, it was a strong indicator that the vulnerable plugin was installed.
In March, WooCommerce shipped a fix for the vulnerability and worked with WordPress to auto-update and patch sites running versions 4.8.0 through 5.6.1 of the WooCommerce Payments plugin.
All websites that have versions 4.8.0 or higher of the plugin installed and activated, but are not hosted on WordPress.com and have not been updated to a patched version, remain potentially at risk from the vulnerability.