CVE-2023-28121
published 2023-04-12CVE-2023-28121: An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.92%
99.7th percentile
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | woocommerce_payments | >= 4.8.0 < 4.8.2 | 4.8.2 |
| automattic | woocommerce_payments | >= 5.0.0 < 5.0.4 | 5.0.4 |
| automattic | woocommerce_payments | >= 5.1.0 < 5.1.3 | 5.1.3 |
| automattic | woocommerce_payments | >= 5.2.0 < 5.2.2 | 5.2.2 |
| automattic | woocommerce_payments | >= 5.5.0 < 5.5.2 | 5.5.2 |
| automattic | woopayments | — | — |
| automattic | woopayments | — | — |
| automattic | woopayments | — | — |
| automattic | woopayments | >= 5.6.0 < 5.6.2 | 5.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST / HTTP/1.1 ... X-WCPAY-PLATFORM-CHECKOUT-USER: 1 ... rest_route=%2Fwp%2Fv2%2Fusers&username=...&roles=administrator↗
- →Detect exploitation by monitoring for HTTP POST requests containing the X-WCPAY-PLATFORM-CHECKOUT-USER header combined with a REST API call to /wp/v2/users with roles=administrator in the body. ↗
- →A successful exploitation attempt returns HTTP 201 with a JSON body containing 'registered_date', 'username', and 'email' fields — monitor for 201 responses to WordPress REST API user-creation endpoints from unauthenticated sources. ↗
- →Scan for exposed installations by searching for the plugin path /wp-content/plugins/woocommerce-payments in HTTP response bodies (Shodan, FOFA, PublicWWW, Google dork). ↗
- →The authentication bypass is triggered by specifying a valid administrator user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER header; monitor for any request to the WordPress site carrying this non-standard header. ↗
- ·The bypass only succeeds if the user ID supplied in X-WCPAY-PLATFORM-CHECKOUT-USER corresponds to an actual administrator account on the target site; ID=1 is the most common default but is not guaranteed. ↗
- ·Affected version range is broad: WooCommerce Payments 4.8–5.6.2 (multiple sub-ranges); version 5.6.1 and lower are cited by NVD, but Metasploit module lists specific affected sub-ranges up to 5.6.2. ↗
- ·Exploitation in the wild began approximately three months after initial disclosure and ten days after a public proof-of-concept was published — patch urgency should not be underestimated despite the delayed initial exploitation window. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rw6j-4w4v-pm7m: An issue in WooCommerce Payments plugin for WordPress (versions 5
ghsa_unreviewed·2023-04-12
CVE-2023-28121 [CRITICAL] CWE-287 GHSA-rw6j-4w4v-pm7m: An issue in WooCommerce Payments plugin for WordPress (versions 5
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
VulnCheck
automattic woocommerce_payments Improper Authentication
vulncheck·2023·CVSS 9.8
CVE-2023-28121 [CRITICAL] automattic woocommerce_payments Improper Authentication
automattic woocommerce_payments Improper Authentication
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Affected: automattic woocommerce_payments
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/; https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-re
No detection rules found.
Nuclei
WooCommerce Payments - Unauthorized Admin Access
nuclei·CVSS 9.8
CVE-2023-28121 [CRITICAL] WooCommerce Payments - Unauthorized Admin Access
WooCommerce Payments - Unauthorized Admin Access
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Template:
id: CVE-2023-28121
info:
name: WooCommerce Payments - Unauthorized Admin Access
author: DhiyaneshDK
severity: critical
description: |
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected ve
Metasploit
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
metasploit
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1, 5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1, 5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER header. With this authentication bypass, a user can then use the API to create a new user with administrative privileges on the target WordPress site IF the user ID selected corresponds to an administrator account.
Bleepingcomputer
Google: 70% of exploited flaws disclosed in 2023 were zero-days
blogs_bleepingcomputer·2024-10-16
Google: 70% of exploited flaws disclosed in 2023 were zero-days
## Google: 70% of exploited flaws disclosed in 2023 were zero-days
## Bill Toulas
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.
Specifically, of the 138 vulnerabilities disclosed as actively exploited in 2023, Mandiant says 97 (70.3%) were leveraged as zero-days.
This means that threat actors exploited the flaws in attacks before the impacted vendors knew of the bugs existence or had been able to patch them.
From 2020 until 2022, the ratio between n-days (fixed flaws) and zero-days (no fix available) remained relatively steady at 4:6, but in 2023, the ratio shifted to 3:7.
Google explains that this is not due to a drop in the number of n-days exploited in
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/
2023-04-12
Published
Exploited in the wild