Attackers Exploit a Flaw in YTTH WooCommerce Gift Card Premium Plugin

Attackers Exploit a Flaw in the YTTH WooCommerce Gift Card Premium Plugin

By Gagandeep Singh 25-Dec-2022

[{"selector":"#anim-1abe7bf9-5cb9-4c91-9cd6-1dc6654add3a","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-111fe5b2-5427-4b30-a8c7-b9923769233e","keyframes":{"transform":["translate3d(0px, 163.58024%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c9c45259-b606-4d75-91f1-90dac94fc7a0","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-28c505a9-f722-4aed-a4b2-06c1d7613435","keyframes":{"transform":["translate3d(0px, 196.08771%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fc0b3958-f9b2-49ad-afc7-cf19508816d8 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] Attackers exploit a critical flaw in the YTTH WooCommerce Gift Cards Premium plugin.

[{"selector":"#anim-9ae7a1d6-5f6a-432c-9c10-e2e784dd323c","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-0ee99d95-d387-44e6-ae15-4ec63d9f8486","keyframes":{"transform":["translate3d(0px, 142.70315%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-cb20657b-1a50-46cb-b991-c472b9ba8910","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1287c9e7-1757-4d80-a832-e55ebbe9dccc","keyframes":{"transform":["translate3d(0px, 153.51848%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-af002372-8321-4230-8764-fa7573aea9e7 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(32.59573787610272%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The YTTH WooCommerce is a plugin that the website’s owners use to sell Gift cards in their online stores; the plugin is used on more than 50K websites.

[{"selector":"#anim-a00da207-9018-4c32-8a99-c317b312ef22","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-70e4123d-cff1-42ab-adef-eb402e3d604d","keyframes":{"transform":["translate3d(0px, 142.70315%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-33afe803-51d1-48a3-9e0b-1a810e3ec6dc","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-133f6917-93c2-4e86-bc5e-cc44f6fd2b90","keyframes":{"transform":["translate3d(0px, 153.51848%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f0dfb368-a693-4bcc-9ab4-e129c79180cc [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-12.514648210040342%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] The vulnerability exploited is traced as CVE-2022-45359 (CVSS v3: 9.8) allows hackers to upload files to websites that include web shells.

[{"selector":"#anim-629f4742-fe0b-48d9-a396-c91466ff3eee","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fe24ea3f-eb89-4109-9a22-13f90f988b42","keyframes":{"transform":["translate3d(0px, 142.70315%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c375cc90-d2c5-4ac0-86ee-101c064fd3b4","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4fc6a68b-a62e-43ab-bb0f-cd327dfb65eb","keyframes":{"transform":["translate3d(0px, 153.51848%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1979d5da-23e2-4dbc-9f0c-c9dd4e640501 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-28.90624987200394%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The web shells give full access to the website, and the vulnerability CVE-2022-45359 affects all versions of the plugin till v3.19.0.

[{"selector":"#anim-ec42c9b2-dcc7-4dc5-b536-224cfdc5ecfe","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-451d6d38-f6ae-4da7-aa83-7e2569f76fc4","keyframes":{"transform":["translate3d(0px, 142.70315%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f77086eb-565d-4efc-ad04-225e5c4cbb38","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-13808449-5468-42ef-a638-aab4d120c4b7","keyframes":{"transform":["translate3d(0px, 153.51848%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-601fb2cb-3211-4150-9552-d2fdb3446870 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-14.240178458450714%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] The critical flaw was addressed in v3.20.0, although many people have not upgraded to the latest version, hence using the vulnerable versions.

[{"selector":"#anim-5df86ea3-7340-4941-9182-5c9e001a4371","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-b87d5296-e8c3-4745-ba62-62c220fc948c","keyframes":{"transform":["translate3d(0px, 136.44728%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-29577c76-f28b-4948-9bc9-a8bbf0358bfd","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-5a4f810f-da01-4144-9a21-a63d496b1afb","keyframes":{"transform":["translate3d(0px, 144.91062%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1bb42161-06a2-452b-a715-a8410bfbe917 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(4.702380969501274%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] Exploitation has already underway, with the attackers utilizing the vulnerability to obtain code execution, apply backdoors on the website, and start the takeover attacks.

[{"selector":"#anim-fbb97cc6-644f-427c-8d7f-0a9884eaa62b","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-7dbec739-d330-46f7-92f7-140e1a174d71","keyframes":{"transform":["translate3d(0px, 136.44728%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4e492a97-871a-42f1-9838-daadb85d20e7","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c427e81b-e9e8-49b5-910e-f32767b9bf94","keyframes":{"transform":["translate3d(0px, 144.91062%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1ddd7d00-96a9-4887-b5a2-b4df624f7927 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.00097644721466%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The pundits at Wordfence reverse-engineered an exploit and said that the vulnerability was in the plugin's “import_actions_from_settings_panel.”

[{"selector":"#anim-33a8d284-ba5c-4d8b-acfa-3e5b3b0ec50c","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-57a9f50a-b5cb-46d9-8c56-75d83f4578df","keyframes":{"transform":["translate3d(0px, 142.38684%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f853c3c8-7783-4b8a-8226-18c6510e686d","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fcc560a1-cc51-46e1-821a-4d8375b508f5","keyframes":{"transform":["translate3d(0px, 151.85184%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-5401509e-34fd-475f-a0f7-5ecd1d268126 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(23.3980304753177%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The experts at Wordfence believe that most of the attacks happened in November & then in December before the plugin author could patch it.

Attackers Exploit a Flaw in the YTTH WooCommerce Gift Card Premium Plugin

Read the Full Story Here.