Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign.
The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover.
"Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall said in a Monday post.
Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of the software.
A common denominator observed in the attacks entails the use of the HTTP request header "X-Wcpay-Platform-Checkout-User: 1" that causes susceptible sites to treat any additional payloads as coming from an administrative user.
Wordfence said the aforementioned loophole is being weaponized to deploy the WP Console plugin, which can be used by an administrator to execute malicious code and install a file uploader to set up persistence and backdoor the compromised site.
Adobe ColdFusion Flaws Exploited in the Wild
The disclosure comes as Rapid7 reported that it observed active exploitation of Adobe ColdFusion flaws in multiple customer environments starting July 13, 2023, to deploy web shells on infected endpoints.
"Threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability," Rapid7 security researcher Caitlin Condon said. The additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that was addressed in an out-of-band update released on July 14.
CVE-2023-29298 (CVSS score: 7.5) concerns an access control bypass vulnerability impacting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.
"The vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL," Rapid7 disclosed last week.
Rapid7, however, warned that the fix for CVE-2023-29298 is incomplete and that it could be trivially modified to bypass the patches released by Adobe.
Users are recommended to update to the latest version of Adobe ColdFusion to secure against potential threats, since the fixes put in place to resolve CVE-2023-38203 breaks the exploit chain.
