Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a larger targeted campaign.
This flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), allows an unauthenticated attacker to impersonate any user and perform some actions as the impersonated user, including administrators. It’s a case of bypass and can lead to a site takeover.
“A large-scale attack against this vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023, continued over the weekend, and hit 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023. An attack has been reached,” said the Wordfence security researcher. Ram Gal said in a Monday post:
WooCommerce Payments versions 4.8.0 through 5.6.1 are vulnerable. This plugin has been installed on over 600,000 sites. A patch for this bug was released by WooCommerce in March 2023, and WordPress issued an automatic update to sites using the affected version of the software.
A commonality observed in these attacks involves the use of the HTTP request header “X-Wcpay-Platform-Checkout-User: 1”, causing susceptible sites to treat additional payloads as coming from an administrative user. Become.
According to Wordfence, the aforementioned loophole has been weaponized to deploy the WP Console plugin, which admins use to run malicious code and install file uploaders for persistence. can be configured to set up backdoors on compromised sites.
Adobe ColdFusion flaw exploited
This disclosure states that we have observed Adobe ColdFusion flaws being actively exploited in multiple customer environments since July 13, 2023 to deploy web shells to infected endpoints. This was done in response to a report by Rapid7.
“Threat actors appear to be exploiting CVE-2023-29298 in combination with a secondary vulnerability,” said Rapid7 security researcher Caitlin Condon. An additional flaw appears to be her CVE-2023-38203 (CVSS score: 9.8). This is a deserialization flaw that was addressed in an out-of-band update released on July 14th.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
CVE-2023-29298 (CVSS score: 7.5) is an access control bypass vulnerability affecting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.
“This vulnerability allows attackers to gain access to administrative endpoints by inserting an unexpected additional slash character into the requested URL,” Rapid7 disclosed last week.
However, Rapid7 warned that the fix for CVE-2023-29298 is incomplete and could easily be modified to circumvent the patch Adobe has released.
Due to the fix introduced to resolve CVE-2023-38203 that breaks the exploit chain, we recommend updating to the latest version of Adobe ColdFusion to protect against potential threats .
