A top WordPress plugin is being hacked to hijack websites

Sead Fadilpašić

18 July 2023 at 10:32 am·2-min read

WordPress logo

Cybersecurity researchers from Wordfence are warning WordPress users that a popular plugin has a security flaw that is being abused in the wild in ongoing campaigns.

Threat actors can use the flaw, tracked as CVE-2023-28121, and carrying a severity score of 9.8, for a number of things, including full website takeover.

It’s found in the WooCommerce Payments plugin, which is installed on more than 600,00 websites. The vulnerability is described as “authentication bypass”, and allows threat actors to bypass authentication and act as different users, including administrators.

Patched months ago

The bulk of the attack, which seems to be automated, happened during the last weekend: “Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence said in its announcement.

Websites hosting WooCommerce Payments versions 4.8.0 to 5.6.1 were said to be vulnerable, with the patch being available for months now.

On the compromised websites, the attackers managed to deploy the WP Console plugin and use it to run malicious code, including file uploaders and backdoors.

> WordPress plugin exposes half a million sites to attack

> How to build a website for free: A guide to creating a site on a budget

> Check out the best firewalls out there

The vulnerability was first discovered by cybersecurity researchers from GoldNetwork, in late March 2023. At the time, there was no evidence of the flaw being used in the wild, and WordPress pushed a mandatory update to all websites with the plugin installed, in hopes to minimize the potential damages. However, it would seem that there are plenty of websites out there that have automatic updates turned off.

Here are all the vulnerable WooCommerce Payments versions: .8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

If your website is still running any of the above mentioned versions, chances are it still hasn’t been updated. To do so manually, head to your WP Admin dashboard, navigate to Plugins, find WooCommerce Payments, and look for a notification about the vulnerability, as well as the instructions on how to update.

These are the best endpoint protection services right now

Via: The Hacker News

NextShark
16-year-old Chinese boy beat with iron rod on New Zealand bus
On Friday morning, during the Maori New Year public holiday, a 16-year-old teen named Jason was brutally attacked on an Auckland bus by a woman wielding an iron rod. The assailant, described as a Maori woman “more than 200 kilograms," hit Jason multiple times and stabbed him in the face, knocking out five of his teeth, on board the bus after having allegedly shouted "ch*nk" at him at Johns Lane stop. Man intervenes: A 75-year-old Chinese man, Penglai Qiuyue, intervened and managed to grab the weapon, though he was also injured in the process.
The Telegraph
The world must prepare for President Michelle Obama
The 2024 US Presidential race intensifies. Speculation abounds over potential replacements for President Joe Biden amid increasing pressure from his party and the media to step aside after a jaw-dropping, catastrophic debate against Donald Trump last week. Among the names circulating, a game-changer is emerging: Michelle Obama. Could this be America’s worst nightmare?
The Telegraph
Horrifying moment husband wheels suitcase containing murdered wife from home while carrying child
A husband who strangled his wife in front of her two children and lover on a video call was captured wheeling the suitcase containing her body out of his home.
Malay Mail
As AG stays silent, Rosmah presses on with bid to strike out money laundering and tax evasion charges
KUALA LUMPUR, July 4 — Datin Seri Rosmah Mansor's money laundering and tax evasion trial proceeded today despite the lac...
The Telegraph
Michelle Obama the only Biden alternative who would beat Trump
The only prospective candidate who could beat Donald Trump in the presidential election is Michelle Obama, according to a new poll.
Malay Mail
Tour bus driver in fatal Genting crash claims trial to reckless driving causing death, and having no valid licence
KUALA LUMPUR, July 3 — S. Anand Kumar, the Malaysian man behind the wheel of the tour bus that overturned and killed two...
Malay Mail
Singapore’s new S$20,000 cash declaration rules: What Malaysians need to know
Singapore has implemented new regulations since May requiring all travellers to declare cash exceeding S$20,000 (RM69...
Bloomberg
These flight routes suffer the world’s worst turbulence
A series of incidents that left scores of airline passengers needing medical attention has shone a spotlight on the problem of severe in-flight turbulence.
Cosmopolitan
Jennifer Lopez Ditched Her Wedding Ring on an Instagram Post Amid Ben Affleck Divorce Rumors
Jennifer Lopez showcased a bare left hand while promoting her beauty line in a recent Instagram post. See it here.
People
Jennifer Lopez Flaunts Her Abs in White Crop Top and Baggy Jeans During N.Y.C. Outing
Lopez was spotted wearing her wedding ring with the casual attire
The Telegraph
Hindu priest sexually abused hundreds of followers, High Court hears
A woman accusing a religious leader of exploiting and sexually abusing her told the High Court he has done it to “hundreds” of his followers over the last 40 years.
INSIDER
The UK is about to get a new prime minister — someone Obama has been mentoring for months
The leader of the Labour Party, Keir Starmer, has been mentored by Barack Obama. The relationship is likely to continue if Starmer wins the UK election.
The Telegraph
Beijing is laughing at the West’s weakness
Russian aggression in Ukraine poses a threat to world peace and stability. China provides material support for Russia’s actions. All this is entirely clear. In Beijing, immediately after a meeting with Xi Jinping in April this year, US Secretary of State Antony Blinken said that “Russia would struggle to sustain its assault on Ukraine without China’s support”. This included selling huge quantities of machine tools and micro-electronics that would be used in the Russian defence industry.
Malay Mail
Blackpink’s Jennie won’t be coming, so why is there a big fuss at TRX’s Gentle Monster tomorrow? (VIDEO)
KUALA LUMPUR, July 4 — Jennie of K-pop girl group Blackpink will not be coming to Kuala Lumpur, so why is there still a...
Bloomberg
China urges Philippines to punish killers of Chinese citizen
China called on the Philippines to catch and severely punish the murderers of a Chinese citizen in a kidnapping case that prompted Beijing’s diplomatic intervention.
The Independent
Predator teacher Rebecca Joynes weeps as she is jailed for having sex with two teenage boys
Rebecca Joynes cried in the dock as she was sentenced for six counts of engaging in sexual activity with a child, including two while being a person in a position of trust
The Telegraph
Have the Houthis sunk a British warship? Here’s what actually happened
Yesterday afternoon the Iranian-backed militia in Yemen, the Houthis, claimed they had targeted four ships which they deemed to belong to the US/UK/Israel “trio evil”. According to the rapidly becoming famous Houthi spokesman Yahya Sare’e – the Comical Ali of the 2020s – “the British landing ship Anvil Point” was targeted and “the hit was accurate and direct. The ship was targeted by a number of cruise missiles.”
The Independent
Investigation reveals house of horrors on boat after dad arrested on child porn charges
Police said they uncovered a world of sickening abuse on Eric Cadogan’s houseboat
The Telegraph
Every Euro 2024 quarter-final team ranked: England dead last – this is why
The most boring and ponderous team to watch but you have to be in it to win it and Southgate’s side are still there somehow. Being fun to watch is great but playing badly and winning is not a terrible habit to have in knockout football. Might be wishful thinking but surely they have to play better at some point. Then they might still be dangerous.
INSIDER
The sperm donor at the center of 'The Man with 1000 Kids' says he plans to sue Netflix. Here's where Jonathan Jacob Meijer is now.
"The Man with 1000 Kids" tells the story of serial sperm donor, Jonathan Jacob Meijer and the families who slowly realize the sheer number of children he has fathered.

Patched months ago

Latest stories