CVE-2023-28121
A recently disclosed critical vulnerability in the WooCommerce Payments WordPress plugin is actively being exploited by cybercriminals as part of a wide-scale targeted attack.
Identified as CVE-2023-28121 (CVSS score: 9.8), the flaw involves an authentication bypass allowing unauthorized attackers to mimic arbitrary users, potentially including administrators. This could lead to the complete takeover of a site.
“From Thursday, July 14, 2023, there was a surge in large-scale attacks exploiting this vulnerability, reaching a peak of 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” noted Wordfence security researcher Ram Gall.
The vulnerable versions include WooCommerce Payments 4.8.0 through 5.6.1, installed on over 600,000 sites. WooCommerce issued patches for this bug back in March 2023, and WordPress subsequently released automatic updates for the affected versions of the software.
The attackers are using the HTTP request header “X-Wcpay-Platform-Checkout-User: 1”, which prompts susceptible sites to treat subsequent payloads as originating from an administrative user.
Wordfence revealed that this exploit is used to install the WP Console plugin, enabling attackers to execute malicious code and install a file uploader to backdoor the compromised site and maintain persistence.
Simultaneously, reports of active exploitation of Adobe ColdFusion flaws emerged, starting from July 13, 2023. These attacks led to the deployment of web shells on compromised systems.
Attackers seem to be leveraging CVE-2023-29298 in combination with another vulnerability, noted as CVE-2023-38203 (CVSS score: 9.8) by Rapid7 security researcher Caitlin Condon. The latter vulnerability, which was addressed in an emergency update on July 14, involves a deserialization flaw.
CVE-2023-29298 (CVSS score: 7.5) relates to an access control bypass vulnerability impacting specific ColdFusion versions. It permits attackers to access administrative endpoints by adding an unexpected extra forward slash character in the requested URL.
Despite efforts to fix CVE-2023-29298, Rapid7 warned that the patch could be circumvented with minimal modifications. Users are advised to upgrade to the latest Adobe ColdFusion version to mitigate potential threats, as the fixes applied to address CVE-2023-38203 prevent the exploit chain.
Cybersecurity is a critical aspect for any organization in today’s digital era. At Info System Consultants, we are committed to keeping you safe from such threats. It’s time to reinforce your digital defenses. Contact us today to discuss a personalized security strategy for your organization. Stay informed, stay safe!