Security
Headlines
HeadlinesLatestCVEs

Headline

Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an

The Hacker News
#vulnerability#web#wordpress#backdoor#auth#The Hacker News

Server Security / Vulnerability

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign.

The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover.

“Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” Wordfence security researcher Ram Gall said in a Monday post.

Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of the software.

A common denominator observed in the attacks entails the use of the HTTP request header “X-Wcpay-Platform-Checkout-User: 1” that causes susceptible sites to treat any additional payloads as coming from an administrative user.

Wordfence said the aforementioned loophole is being weaponized to deploy the WP Console plugin, which can be used by an administrator to execute malicious code and install a file uploader to set up persistence and backdoor the compromised site.

Adobe ColdFusion Flaws Exploited in the Wild

The disclosure comes as Rapid7 reported that it observed active exploitation of Adobe ColdFusion flaws in multiple customer environments starting July 13, 2023, to deploy web shells on infected endpoints.

“Threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability,” Rapid7 security researcher Caitlin Condon said. The additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that was addressed in an out-of-band update released on July 14.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

CVE-2023-29298 (CVSS score: 7.5) concerns an access control bypass vulnerability impacting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.

“The vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL,” Rapid7 disclosed last week.

Rapid7, however, warned that the fix for CVE-2023-29298 is incomplete and that it could be trivially modified to bypass the patches released by Adobe.

Users are recommended to update to the latest version of Adobe ColdFusion to secure against potential threats, since the fixes put in place to resolve CVE-2023-38203 breaks the exploit chain.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.

CVE-2023-38203: Adobe Security Bulletin

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability

Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild. The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions: ColdFusion 2023 (Update

Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway

Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions - NetScaler ADC and NetScaler Gateway 13.1

CVE-2023-29298: Adobe Security Bulletin

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

CVE-2023-28121: Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.