Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium.
CVE-2022-45359 Vulnerability
The CVE-2022-45359 vulnerability allows unauthenticated attackers to upload executables to vulnerable e-commerce websites, as well as install backdoors, obtain remote code execution, and take control of the website for further compromise.
The bug is being weaponized to full access to a vulnerable website to sites running the YITH WooCommerce Gift Cards Premium plugin, WordPress security company Wordfence noted.
According to reports, Wordfence was able to reverse-engineer the exploit using attack data and a copy of the vulnerable plugin, and they are now disclosing details about its operation.Sending a request to /wp-admin/admin-post.php as an unauthenticated attacker will cause functions that run on admin init to be activated because admin init runs for any page in the /wp-admin/ directory.
The issue was discovered on November 22, 2022, and was addressed with the release of version 3.20.0.
Below are some files uploaded by threat actors in attacks analyzed by Wordfence:
- kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)
- b.php – this file is a simple uploader
- admin.php – this file is a password-protected backdoor
The vulnerability has been exploited in attacks, with the following IP addresses accounting for the vast majority of exploitation attempts:
- 103.138.108[.]15
- 188.66.0[.]135
Mitigation
Users of the WooCommerce Gift Cards plugin must update to version 3.20.0 or higher to avoid the vulnerability.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment