Thousands WordPress of websites have been detected using a vulnerability detection add-on that allows cybercriminals to take complete control of a website.
Researchers have discovered a critical vulnerability in YITH WooCommerce Gift Cards Premium, a website builder add-on that provides an interface for creating gift cards on WordPress sites that is reportedly used by over 50,000 websites.
The vulnerability itself lies in the ability to upload arbitrary files unauthenticated, allowing fraudsters to upload web shells and gain full access to the targeted website, among other things.
Theft of cryptocurrency account details
The vulnerability, tracked as CVE-2022-45359 and rated 9.8 – Critical, has already been patched and users are being asked to update the add-on as soon as possible as there is evidence of abuse of the vulnerability in the wild.
It was first discovered in late November 2022, when researchers discovered a vulnerability present in all versions up to 3.19.0. As such, users are advised to install the add-on at least version 3.20.0 or 3.21.0, which is now available for download.
The vulnerability was discovered by Wordfence, a cybersecurity company analyzing the WordPress ecosystem, and its researchers say there are already cybercriminals exploiting the vulnerability.
While most of the attacks occurred in November while the vulnerability was still considered a zero-day, another exploitation peak was also observed on December 14, 2022.
Only two IP addresses (103.138.108.15 and 188.66.0.135) accounted for more than 20,000 attempts to exploit almost 12,000 websites.
While WordPress itself is relatively stable (around 0.5% of all WordPress-related vulnerabilities are within the hosting platform itself), its ecosystem is large and as such provides ample opportunities for exploitation. Paid add-ons like this tend to be updated frequently and developers try to keep the product safe, while free add-ons can often run for months without patching and can become a real nightmare for webmasters.
Through: Beeping Computer (opens in a new tab)