PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site.
All Wordfence customers, including Wordfence Premium, Care, and Response customers as well as Wordfence free users, are protected against exploits targeting this vulnerability by the Wordfence firewall’s built-in file upload rules which prevent the upload of files with known dangerous extensions, files containing executable PHP code, and known malicious files.
We highly recommend updating to the latest version of the plugin, which is 3.21.0 at the time of this writing.
Description: Unauthenticated Arbitrary File Upload
Affected Plugin: Yith WooCommerce Gift Cards Premium
Plugin Slug: yith-woocommerce-gift-cards-premium
Affected Versions: import_from_csv( $uploaddir[‘basedir’] . ” . $file_name, get_option( ‘ywgc_csv_delimitier’, ‘;’ ) ); } }
These attacks may appear in your logs as unexpected
POST requests to
wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):
1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at
shell[.]prinsh[.]com and has a normalized sha256 hash of
b.php – this file is a simple uploader with a normalized sha256 hash of
admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of
Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:
22.214.171.124, which sent out 19604 attacks against 10936 different sites
126.96.36.199, which sent 1220 attacks against 928 sites.
The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.
If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.