Hackers are actively exploiting a critical vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin to upload backdoors on the e-Commerce stores. The plugin enables online stores to sell gift cards being used by over tens of thousands of websites.
More about the vulnerability
The flaw in the question is tracked as CVE-2022-4539 (an arbitrary file upload issue), and lies in the plugin’s ‘import_actions_from_settings_panel’ function that runs on the ‘admin_init’ hook.
The exploitation of the bug allows an attacker to upload files, including web shells, to vulnerable sites.
There are more than 50,000 websites that are still using the vulnerable versions of the plugin, allowing threat actors to explore the flaw and place a backdoor to launch remote code execution attacks and take over sites.
The issue was discovered on November 22 and was addressed with the release of version 3.20.2 of the plugin.
Active exploitation in attacks
According to the researchers, a majority of attacks occurred the day after the vulnerability was disclosed and has been ongoing since then.
Most of these attacks originated from 103.138.108.15 and 188.66.0.135 IP addresses.
The attackers exploited the flaw by sending POST requests to /wp-admin/admin-post.php, allowing them to upload a malicious PHP executable on the site.
What’s recommended
Researchers warn that the vulnerability is trivial to exploit and provides full access to a vulnerable website. As the exploitation attempts are still ongoing, users with flawed site versions are advised to upgrade to the latest version of the YITH WooCommerce Gift Cards WordPress plugin to stay safe.