A severe bug has been discovered in the YITH WooCommerce Gift Cards Premium plugin, which is utilized by over 50,000 websites. The vulnerability allows attackers to gain full control over affected resources.
The YITH WooCommerce Gift Cards Premium plugin enables website administrators to sell gift cards on their online stores. In November, a critical vulnerability (CVE-2022-45359, rated 9.8 on the CVSS scale) was found in the plugin, allowing unauthenticated attackers to upload files to vulnerable websites (including web shells that grant full control over the resource).
All versions of the plugin up to 3.19.0 are affected by the vulnerability. A patch was released with version 3.20.0, but the manufacturer has since released version 3.21.0 and recommends updating to it.
According to cybersecurity firm Wordfence, many websites are still using vulnerable versions of the plugin, and hackers have taken notice. The bug is being actively exploited, with attackers using the vulnerability to upload backdoors, execute remote code, and take over other websites.
The root of the problem lies in the “import_actions_from_settings_panel” function, which is connected to the “admin_init” hook and does not perform CSRF and capability checks. This allows POST requests to “/wp-admin/admin-post.php” to upload malicious PHP executables to the site.
Exploits have been observed in logs as unexpected POST requests from unknown IP addresses. Wordfence found that attackers have uploaded the following files to vulnerable websites:
- “php/1tes.php”: loads a copy of the marijuana shell file manager from a remote source (shell.prinsh[.]com) into memory
- “php”: a simple bootloader file
- “php”: password-protected backdoor
Most of the attacks occurred in November, before administrators had time to fix the vulnerability, but a second peak of hacks was observed on December 14, 2022. The IP address 18.104.22.168 was a major source of attacks, with 19,604 attempts to hack 10,936 websites, followed by the IP address 22.214.171.124, which launched 1,220 attacks against 928 websites.
As the attacks are still ongoing, experts recommend updating YITH WooCommerce Gift Cards Premium to version 3.21 as soon as possible.