Hackers are exploiting a well-known gift card plug-in of over 50k websites on WordPress – YITH WooCommerce Gift Cards Premium, that would let them perform various scams through legitimate sites.
The plug-in was installed in over 50k WordPress sites, offering enormous scope for scammers. Though a patch is available from the plug-in maker, the website admins need to apply this and stay secure.
Backdoor Access to WordPress Sites
Last month, researchers discovered a critical bug in the YITH WooCommerce Gift Cards Premium plug-in that’s been installed in over 50,000 WordPress sites till now. It’s used by website operators to sell gift cards in their online stores and needs authentication to post any new updates.
But, a vulnerability tracked as CVE-2022-45359 allows unauthenticated people to remotely upload files to the related sites and manage them with near-admin access! Researchers noted that hackers could set web shells (like backdoors) to provide themselves full access to the vulnerable area.
The bug was disclosed publicly on November 22, 2022, with a severity score of 9.8/10. Hackers have already devised a working exploit for this and have been attacking vulnerable sites since then. Observing the rise of such attacks, the maker of the plug-in has released a patched version, 3.21.0, and asked users to update it. Yet, we see a number of sites still running on the insecure 3.19 and 3.20 versions of this plug-in, keeping them at risk.
Analyzing the ongoing cyberattacks, Wordfence researchers noted that malicious requests appearing on logs as unexpected POST requests from unknown IP addresses should be considered as infection – where the site admins should react immediately.
Several attacks happened in November before the admins could get a response to the flaw, while a new peak was discovered on December 14, 2022. As they continue to happen, site admins are advised to update their YITH WooCommerce Gift Cards Premium plug-in to v3.21.0 for good.
Hackers Not Relenting on their Exploit
Wordfence is reportedly releasing information about the exploit’s functionality after being able to reverse-engineer it, making use of attack data and a version of the vulnerable plug-in. This is because the vulnerability has been exploited in the wild for some time, and a patch is already available.
The issue is with the function import actions from the settings panel, which is called by the admin init hook. Below are some files uploaded by threat actors in attacks analyzed by Wordfence:
- kon.php/1tes.php – here this loads a file of a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)
- b.php – this file is a simple uploader
- admin.php – this file is a password-protected backdoor
Most of the attacks observed by Wordfence originated from 22.214.171.124 (19604 attacks against 10936 different sites) and 126.96.36.199 IP addresses (1220 attacks against 928 sites).
Site administrators should be aware of an attack because the fraudulent queries appear in logs as unexpected POST requests coming from unfamiliar IP addresses. Analysts claim that the majority of attacks occurred in November before administrators could patch the flaw, although a second increase was observed on December 14.
Due to persistent exploitation efforts, Wordfence advises users of the YITH WooCommerce Gift Cards Premium plug-in to update as soon as possible to version 3.21.
16 Vital Checklists for WordPress Site Security
We cannot emphasize enough how crucial having strong site security is. We’ve created a checklist to ensure you remember all the necessities because we understand that you might need more time to adequately safeguard your WordPress site when you’re rushing to meet a deadline.
It is understandable why many individuals don’t believe their website is at risk of being hacked in a sea of over 2 billion websites. Additionally, if you’ve never experienced an attack, you might not be as concerned as you should be about the possibilities.
However, it’s preferable to be properly protected and not require it than to be unprepared and regret it. In order to make planning your security easier, we’ve put together a checklist of 16 steps you might wish to follow when safeguarding your website.
- Select a reputable web hosting company.
- Use a password manager and conceal your login URL
- Make Two-Factor Authentication available.
- Implement Login Timeouts
- Establish a Web Application Firewall (WAF)
- Put a security plug-in to use
- Automate Workflows Employing Plugins
- Avoid DDoS assaults
- Regularly Verify for False Accounts
- wp-config file security
- Insert an SSL Certificate
- Stop hotlinking and stop spam comments
- Visit Your Website Frequently and Think About a Static Site