Recent intelligence has identified that malicious actors are actively exploiting a severe security vulnerability in the WooCommerce Payments WordPress plugin. This flaw is part of a large-scale, targeted campaign that threatens numerous websites reliant on the plugin.
The vulnerability, identified as CVE-2023-28121 with a CVSS score of 9.8, is classified as an authentication bypass. This allows unauthorized users to impersonate any user, including administrators, and execute harmful actions that may lead to a complete takeover of affected sites.
Wordfence security researcher Ram Gall noted that the mass exploitation of this vulnerability began on July 14, 2023, escalating over the weekend to a peak of 1.3 million attacks across 157,000 websites by July 16. The impact is substantial, as versions 4.8.0 through 5.6.1 of WooCommerce Payments, used by more than 600,000 sites, remain vulnerable. Although WooCommerce released patches in March 2023, many sites have still not updated their plugins, despite WordPress offering automatic updates for the affected versions.
A common attack vector utilizes an HTTP request header, specifically designed as “X-Wcpay-Platform-Checkout-User: 1”, which enables malicious requests to be mistakenly processed as administrative actions on vulnerable sites. This sophisticated tactic aids the adversaries in deploying the WP Console plugin, allowing for the execution of arbitrary code and further compromising site integrity through persistent backdoor access.
Exploitation of Adobe ColdFusion Vulnerabilities
Meanwhile, additional vulnerabilities have surfaced as Rapid7 reported active exploitation of flaws in Adobe ColdFusion since July 13, 2023. These vulnerabilities are being utilized to deploy web shells on infected systems, amplifying the risk for organizations using ColdFusion.
The vulnerabilities include CVE-2023-29298, a significant access control bypass flaw with a CVSS score of 7.5, which affects ColdFusion versions 2023, 2021 Update 6 and earlier, along with ColdFusion 2018 Update 16 and prior releases. Researchers from Rapid7 highlighted that the flaw allows attackers to access administrative endpoints by strategically manipulating URL input.
While Adobe has released fixes for the vulnerabilities, Rapid7 warns that the patches for CVE-2023-29298 might still be circumvented, suggesting the need for immediate updates to the latest version of ColdFusion to mitigate these security threats. The weaknesses linked to these vulnerabilities could enable adversaries to establish initial access and gain persistency, further illustrating the critical importance of maintaining updated security systems and immediate vigilance.
