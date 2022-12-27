Thousands of WordPress websites were found using a vulnerability add-on that allows threat actors to completely take over the site.

Researchers discovered a critical flaw in YITH WooCommerce Gift Cards Premium, a website builder add-on that provides an interface for building gift cards on WordPress sites, which is reportedly used by more than 50,000 websites.

The flaw itself is an unauthenticated random file upload vulnerability, which allows scammers to upload web shells and gain full access to the target website, among other things.

Stealing crypto account details

The vulnerability, tracked as CVE-2022-45359 and given a severity score of 9.8 – Critical, has since been patched and users are urged to update their add-on as soon as possible as there are indications that the flaw is being exploited in the wild.

It was first discovered in late November 2022, when researchers discovered the flaw in all versions up to 3.19.0. Therefore, users are advised to bring the add-on to at least 3.20.0 or 3.21.0, which is now also available for download.

The flaw was discovered by Wordfence, a cybersecurity firm that analyzes the WordPress ecosystem, and the researchers claim there are already threat actors exploiting the flaw.

While most of the attacks occurred in November, while the flaw was still considered a zero-day, another spike in usage was also observed on December 14, 2022.

Just two IP addresses (103.138.108.15 and 188.66.0.135) accounted for more than 20,000 exploit attempts against nearly 12,000 websites.

While WordPress itself is relatively stable (about 0.5% of all WordPress-related vulnerabilities fall on the web hosting platform itself), the ecosystem is large and as such offers plenty of opportunities for exploitation. Paid add-ons, like this one, are usually updated regularly and developers try to maintain a secure product, while free add-ons can often work for months without patches and can become a real nightmare for webmasters.