cbcvebase.
CVE-2023-28121
published 2023-04-12

CVE-2023-28121: An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.92%
99.7th percentile
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Affected

9 ranges
VendorProductVersion rangeFixed in
automatticwoocommerce_payments>= 4.8.0 < 4.8.24.8.2
automatticwoocommerce_payments>= 5.0.0 < 5.0.45.0.4
automatticwoocommerce_payments>= 5.1.0 < 5.1.35.1.3
automatticwoocommerce_payments>= 5.2.0 < 5.2.25.2.2
automatticwoocommerce_payments>= 5.5.0 < 5.5.25.5.2
automatticwoopayments
automatticwoopayments
automatticwoopayments
automatticwoopayments>= 5.6.0 < 5.6.25.6.2

Detection & IOCsextracted from sources · hover to see the quote

otherX-WCPAY-PLATFORM-CHECKOUT-USER: 1
path/wp-content/plugins/woocommerce-payments
url/?rest_route=%2Fwp%2Fv2%2Fusers
commandPOST / HTTP/1.1 ... X-WCPAY-PLATFORM-CHECKOUT-USER: 1 ... rest_route=%2Fwp%2Fv2%2Fusers&username=...&roles=administrator
  • Detect exploitation by monitoring for HTTP POST requests containing the X-WCPAY-PLATFORM-CHECKOUT-USER header combined with a REST API call to /wp/v2/users with roles=administrator in the body.
  • A successful exploitation attempt returns HTTP 201 with a JSON body containing 'registered_date', 'username', and 'email' fields — monitor for 201 responses to WordPress REST API user-creation endpoints from unauthenticated sources.
  • Scan for exposed installations by searching for the plugin path /wp-content/plugins/woocommerce-payments in HTTP response bodies (Shodan, FOFA, PublicWWW, Google dork).
  • The authentication bypass is triggered by specifying a valid administrator user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER header; monitor for any request to the WordPress site carrying this non-standard header.
  • ·The bypass only succeeds if the user ID supplied in X-WCPAY-PLATFORM-CHECKOUT-USER corresponds to an actual administrator account on the target site; ID=1 is the most common default but is not guaranteed.
  • ·Affected version range is broad: WooCommerce Payments 4.8–5.6.2 (multiple sub-ranges); version 5.6.1 and lower are cited by NVD, but Metasploit module lists specific affected sub-ranges up to 5.6.2.
  • ·Exploitation in the wild began approximately three months after initial disclosure and ten days after a public proof-of-concept was published — patch urgency should not be underestimated despite the delayed initial exploitation window.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.