Go Back   Carder.life > [ru] Forum for Russians > Новости мирового кардинга
Reload this Page Hackers exploit bug in WordPress gift card plugin with 50K installs

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


Reply
 
Thread Tools Display Modes
  #1  
Old 04-21-2025, 12:55 AM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


Hackers are actively targeting a critical flaw in YITH WooCommerce Gift Cards Premium, a WordPress plugin used on over 50,000 websites.
YITH WooCommerce Gift Cards Premium is a plugin that website operators to sell gift cards in their online stores.
Exploiting the vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), allows unauthenticated attackers to upload files to vulnerable sites, including web shells that provide full access to the site.
CVE-2022-45359 was disclosed to the public on November 22, 2022, impacting all plugin versions up to 3.19.0. The security update that addressed the problem was version 3.20.0, while the vendor has already released 3.21.0 by now, which is the recommended upgrade target.
Unfortunately, many sites still use the older, vulnerable version, and hackers have already devised a working exploit to attack them.
According to WordPress security experts at Wordfence, the exploitation effort is well underway, with hackers leveraging the vulnerability to upload backdoors on the sites, obtain remote code execution, and perform takeover attacks.
Actively exploited in attacks
Wordfence reverse-engineered an exploit hackers are using in attacks, finding that the issue lies in the plugin’s “import_actions_from_settings_panel” function that runs on the “admin_init” hook.
Moreover, this function does not perform CSRF or capability checks in vulnerable versions.
These two issues make it possible for unauthenticated attackers to send POST requests to “/wp-admin/admin-post.php” using the appropriate parameters to upload a malicious PHP executable on the site.
“It is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.” - Wordfence.

CVE-2022-45359 exploit code
The malicious requests appear on logs as unexpected POST requests from unknown IP addresses, which should be a sign for site admins they are under attack.
The uploaded files spotted by Wordfence are the following:
  • kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)

  • b.php – simple uploader file

  • admin.php – password-protected backdoor

The analysts report that most attacks occurred in November before admins could patch the flaw, but a second peak was observed on December 14, 2022.
IP address 103.138.108.15 was a significant source of attacks, launching 19,604 exploitation attempts against 10,936 websites. The next largest IP address is 188.66.0.135, which conducted 1,220 attacks against 928 WordPress sites.
The exploitation attempts are still ongoing, so users of the YITH WooCommerce Gift Cards Premium plugin are recommended to upgrade to version 3.21 as soon as possible.
Reply

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 11:42 AM.

Contact Us - Carder.life - Archive - Top