Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw

Attackers have been exploiting a critical flaw in the WordPress WooCommerce Payments plug-in in a spate of attacks over the last few days that peaked at 1.3 million attempts against 157,000 sites on July 15, researchers have found.

Researcher Michael Mazzolini of GoldNetwork discovered flaw — tracked as CVE-2023-28121 and rated as 9.8 out of 10 on the CVSS vulnerability rating scale — in March while doing white-hat testing through WooCommerce's HackerOne program. Exploit code soon followed, particularly from RCE Security, which released a blog post earlier this month detailing how to take advantage of the flaw.

The issue specifically affects the WooCommerce Payments plugin for WordPress, versions 5.6.1 and lower, allowing an unauthenticated attacker to elevate privileges and send requests on behalf of administrator, thus gaining admin access on a site that has an affected version of the plugin activated.

Swathes of Sites Vulnerable Despite Auto-Patch

WooCommerce Payments, which provides functionality to online stores to accept payments through credit cards, debit cards, and Apple Pay, is installed on more than 600,000 sites. The payment plugin is no stranger to being under attack, but typically attackers have targeted it as part of a broader Magecart skimming attack that also affects other payment systems.

WooCommerce patched the flaw soon after its discovery through an auto-update to WordPress sites running WooCommerce Payments 4.8.0 through 5.6.1. However, users running affected versions on non-WordPress.com needed to install the update to patch, and if they didn't, the sites remain vulnerable.

Attackers have been taking full advantage of those vulnerable sites over the last few days, in a string of attacks that are unusual in that they appear to be highly targeted rather than random, Wordfence revealed in a blog post on July 17.

"Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites," Wordfence's Ram Gall wrote in the post.

WooCommerce Cyberattacks Lead to Code Execution

Wordfence researchers saw the first warning signs of the barrage several days before the main wave through an increase in plugin enumeration requests that searched for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.

While the majority of actual attacks came from a handful of IP addresses, which were shared in the post, the readme.txt requests were distributed over thousands of IP addresses. However, only about 5,000 IP addresses sent both readme.txt requests and actual attacks, Gall reported.

Common to all exploits targeting the WooCommerce Payments vulnerability was the header, X-Wcpay-Platform-Checkout-User: 1, which causes vulnerable sites to treat any additional payloads as coming from an admin, Gall said.

"Many of the requests we've seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site," he wrote.

Once that plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence, Gall said. The payload observed by Wordfence researchers has an MD5 hash of "fb1fd5d5ac7128bf23378ef3e238baba" when saved to the victim filesystem, something the Wordfence scanner has provided detection for it since at least July 2021, he said.

"We have also seen attackers creating malicious administrator users with randomized alphanumeric usernames such as 'ac9edbbe'," Gall wrote.

Exploiting the CVE-2023-28121 Bug

The exploit attack outlined by Julien Ahrens, the self-appointed hacker behind RCE Security, triggers the vulnerability in the determine_current_user_for_platform_checkout() function, where the plugin checks for the existence of the X-WCPAY-PLATFORM-CHECKOUT-USER request header, he explained in his post. If it's present, WooCommerce simply returns the header's value, which represents the "determined" user.

This allows an attacker to trick WordPress into thinking that an unauthenticated user is actually authenticated, by setting the X-WCPAY-PLATFORM-CHECKOUT-USER request header and pointing it to a userId, Ahrens explained.

"What happens under the hood is that the hook effectively tells WordPress which user the request came from," he wrote. "Since we have the userId under our control, we do now have an easy way to impersonate any user which is active/enabled on the WordPress instance, including administrators."

Thus, once an attacker achieves admin impersonation, the entire WordPress instance can be compromised, he said. An attacker can determine if the exploit was successful based on the HTTP response code; if it's 201, then it will return the user object of the newly created user, which can then be used to authenticate against WordPress' administrative backend, Ahrens said.

If a case occurred in which the targeted, impersonated user doesn't exist anymore or is disabled, an attacker will need to either query the /wp-json/wp/v2/users API method to get a list of active users or simply brute force through the userIds, he added.

Avoiding Website Compromise

Anyone using an affected version of WooCommerce Payments is encouraged to ensure the plugin is updated to the latest version, which patches the flaw. The company outlined flaw details and mitigation in a blog post published in March, when the flaw was discovered.

Once users ensure that the version of WooCommerce that they're using is secure, they should check for evidence of any unexpected admin users or posts on their site, WooCommerce recommends. If they find any, they should update admin passwords, as well as rotate any API keys used on the site, including the WooCommerce API key.