WooCommerce Payments WP Plugin Flaw Goes Under Active Attack

Months after releasing the patch, hackers are still exploiting the security flaw in WooCommerce Payments WordPress plugin. The researchers have found the vulnerability under active attack, urging WordPress admins to update their websites with the latest plugin version immediately.

WooCommerce Payments Plugin Flaw Actively Exploited

In March, the WordPress security firm Wordfence elaborated on a severe security flaw in the WooCommerce Payments plugin.

The vulnerability first caught the attention of GoldNetwork’s researcher Michael Mazzolini, whose report made the developers fix the flaw with plugin release 5.6.2.

However, it seems WordPress admins’ ignorance towards updating their websites is seemingly ruining the developers’ efforts, as Wordfence now reports detecting active exploitation of the flaw.

As explained, they detected active vulnerability exploitation starting July 14, 2023, to target different websites. What’s peculiar in this campaign is that the attackers abuse this flaw against a specific set of websites instead of targeting random websites massively.

Besides, the Wordfence team also observed a spike in the plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of websites. They explained that not all such requests were malicious. Yet, this behavior raised the alarm, making Wordfence discover the exploitation attempts.

The researchers found these requests generated from thousands of IPs, making IP blocking unsuitable for defenders. However, all malicious requests carried the header X-Wcpay-Platform-Checkout-User: 1, which prompts the site to consider incoming requests as admin requests. The attackers generating these requests then attempted to install the WP Console plugin to achieve remote code execution on target websites.

In addition to Wordfence, RCE Security shared a PoC exploit for this flaw in a separate post.

As evident from the plugin’s official WordPress page, the plugin boasts over 600,000 active installations. From these, only 40.5% of websites use the latest plugin versions. In comparison, the changelog lists the plugin version 6.2.0 as the latest release.

Given the severity of the flaw and the active exploitation, admins must update their WordPress websites with the latest plugin version immediately.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients