over 1 million WordPress hack attempts in a few days

Security researchers have recorded more than 1 million attempts to compromise a popular plugin WordPress over the past few days. By data companies Wordfencethe attacks began on Friday July 14th and continued over the weekend, peaking at 1.3 million attacks on 157,000 sites on July 16th.

Wordfence said that the attacks used a critical plugin vulnerability WooCommerce Payments CVE-2023-28121 (CVSS: 9.8) . The bug allows an unauthenticated attacker to send requests as an elevated user, such as an administrator. Plugin Vulnerability WooCommerce Payments has been corrected March 23 in version 5.6.2.

If exploited, the vulnerability in question would allow a remote attacker to gain administrator rights and take control of the vulnerable WordPress site. Wordfence said the attackers tried to use administrator rights to remotely install the plugin WP Console to victim sites. Hackers use the plugin WP Console to execute malicious code and host a file uploader to ensure persistence.

Although the number of recorded attack attempts has exceeded 1 million, Wordfence said the campaign is targeted. Unlike many other large-scale campaigns that typically attack millions of sites indiscriminately, experts say, this one targets a smaller set of websites.

It is noteworthy that in the days before the main wave of attacks, there was an increase in the number of requests for listing plugins. The hackers looked for the “readme.txt” file in the “wp-content/plugins/woocommerce-payments/” directory on the affected sites.

Formerly specialists of the information security company Patchstack discovered a vulnerability in the WooCommerce Stripe Gateway plugin for WordPress, which allows an unauthorized attacker to view the details of an order placed through the plugin. Data disclosure can lead to further attacks such as account hijacking attempts and credential theft through spear-phishing emails.

In addition, in July, a vulnerability was discovered in a WordPress plugin called “Ultimate Member”, which allows an attacker to create new user accounts with administrative privileges, giving the hacker full control over infected sites.