Threat actors are actively exploiting a critical security flaw recently disclosed in the WooCommerce Payments WordPress plugin as part of a massively targeted campaign.
The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is an authentication bypass case that allows an unauthenticated attacker to impersonate an arbitrary user and perform several actions as an impersonated user, including administrators, potentially leading to site takeover.
“A large-scale attack on the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” Wordfence security researcher Ram Gall said in Monday’s post.
WooCommerce Payments version 4.8.0 to 5.6.1 is vulnerable. The plugin is installed on more than 600,000 sites. A patch for the bug was released by WooCommerce in March 2023, with WordPress issuing automatic updates to sites using the affected software version.
The common denominator observed in attacks requires the use of the HTTP request headers “X-Wcpay-Platform-Checkout-User: 1” which causes the vulnerable site to treat any additional payload as coming from an administrative user.
Wordfence says the aforementioned loopholes are being weaponized to deploy the WP Console plugin, which administrators can use to execute malicious code and install file uploaders to set persistence and backdoor compromised sites.
Adobe ColdFusion Flaw Exploited in the Wild
The disclosure came when Rapid7 reported that they observed active exploitation of the Adobe ColdFusion flaw in some customer environments starting July 13, 2023, to deploy web shells on infected endpoints.
“Threat actors appear to be exploiting CVE-2023-29298 alongside secondary vulnerabilities,” Rapid7 security researcher Caitlin Condon said. An additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that has been resolved in out-of-band updates released on July 14th.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“The vulnerability allowed an attacker to access administration endpoints by inserting an unexpected trailing trailing slash character in the requested URL,” Rapid7 revealed last week.
Rapid7, however, warns that the fix for CVE-2023-29298 is incomplete and could be trivially modified to bypass the patch released by Adobe.
Users are advised to update to the latest version of Adobe ColdFusion to safeguard against potential threats, as the fix made to resolve CVE-2023-38203 breaks the exploit chain.