We’ve been closely monitoring an alarming exploit campaign that targets websites utilizing the WooCommerce Payments plugin. This popular plugin, installed on over 600,000 sites, harbors a critical vulnerability, labeled CVE-2023-28121. Cybercriminals are exploiting this flaw to gain unauthorized access and administrative privileges on vulnerable websites, making it a highly sought-after target.
The exploit campaign launched its offensive on Thursday, July 14, 2023, and has been unrelenting ever since. Over the weekend, the attacks peaked on July 16 with an astonishing 1.3 million attacks targeting 157,000 sites. Such scale and persistence demand immediate attention.
Our Commitment to Your Security
At Positive Medium, we are dedicated to safeguarding our clients’ digital assets. With a proactive approach to security, we have installed the WordFence security plugin for all our clients, ensuring their peace of mind. Everyone is under our protective umbrella, thanks to stringent firewall rules that have been in place since April 22.
Understanding the Tactics
The attacks primarily emanate from a handful of IP addresses, with certain addresses being more aggressive in their targeting. The attackers cleverly utilize a specific header, “X-Wcpay-Platform-Checkout-User: 1,” to gain administrative privileges and execute their malicious activities.
The cybercriminals’ tactics involve installing the WP Console plugin, granting them the capability to execute malicious code on targeted sites. To ensure their foothold, they create malicious administrator users with randomized alphanumeric usernames. Vigilance is the key to thwarting these threats.
For those of you running the WooCommerce Payments plugin within the vulnerable versions (4.8.0 – 5.6.1), we strongly recommend a comprehensive review of your website. Look out for any unauthorized plugins or administrator users, as these may be indicators of potential compromises.
Joining Forces for a Safer Community
If you know someone using the WooCommerce Payments plugin, kindly share this advisory with them. Together, we can build a secure WordPress community.