Hackers Exploit CVE-2022-45359 in Premium Gift Cards WordPress Plugin
A critical flaw in the Premium Gift Cards WordPress plugin is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.
YITH WooCommerce Gift Cards Premium plugin for WordPress could allow a remote attacker to upload arbitrary files, caused by improper validation of file extensions. An attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to place a back door, obtain remote code execution, and take over the site.
The plugin is estimated to have over 50,000 active installations, with the flaw (CVE-2022-45359, CVSS score: 9.8) affecting versions prior to 3.20.0. It’s been addressed in version 3.20.0 released in November 2022.
The bug is being weaponized to full access to a vulnerable website to sites running the YITH WooCommerce Gift Cards Premium plugin, WordPress security company Wordfence noted.
“We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time,” Wordfence warned.
The issue is rooted in the function called import_actions_from_settings_panel function which runs on the admin_init hook. According to Wordfence, the vulnerability is the result of lacking a capability check and a CSRF check, which enables an unauthenticated threat actor to upload any arbitrary file on the server.
Wordfence noted that the targeting of CVE-2022-45359 commenced on November 23, 2022, and that it has blocked over 20,000 attacks with another peak on December 14, 2022.
“Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses: 103.138.108.15, which sent out 19604 attacks against 10936 different sites and 188.66.0.135, which sent 1220 attacks against 928 sites,” Wordfence said.
Users of the YITH WooCommerce Gift Cards Premium plugin are advised to upgrade to the latest version. Should users determine that they may have been compromised, it’s recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.