SOCRadar® Cyber Intelligence Inc. | RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks


Dec 28, 2022
2 Mins Read

RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks

In late November, security researchers found a critical vulnerability in Yith’s WooCommerce Gift Cards plugin. Attackers can gain remote code execution through the vulnerability, identified as CVE-2022-45359 (CVSS score: 9.8), and ultimately take over WordPress websites.

The Yith WooCommerce Gift Cards plugin, which has over 50,000 downloads, enables e-commerce sites to generate gift cards that their customers can buy for others.

How Does the CVE-2022-45359 Vulnerability Affect? 

The vulnerability affects WordPress sites that use the plugin’s version 3.19.0 or earlier

The CVE-2022-45359 vulnerability allows unauthenticated attackers to upload executables to vulnerable e-commerce websites, as well as install backdoors, obtain remote code execution, and take control of the website for further compromise. 

The vulnerability was discovered in an import function (import_actions_from_settings_panel) that runs on the admin_init hook, which is used by all pages in the /wp-admin/directory.

An attacker could use the vulnerability by sending special requests to the wp-admin/admin-post.php directory with particular parameters and payloads because the impacted function lacks CSRF (cross-site request forgery) and capability checks. Since the function also does not check file types, attackers are free to upload any file type, including PHP executable files

Apply Fixed Updates to Prevent Attacks 

The vulnerability has been exploited in attacks, with the following IP addresses accounting for the vast majority of exploitation attempts: 

  • 103.138.108[.]15 
  • 188.66.0[.]135 

Site administrators can detect an attack by inspecting their logs for POST requests to wp-admin/admin-post.php. See additional indicators of compromise (IOCs) here

Users of the WooCommerce Gift Cards plugin must update to version 3.20.0 or higher to avoid the vulnerability. 

Better Prioritize Patches With SOCRadar

woocommerce vulnerability
You can follow company vulnerabilities on the SOCRadar platform.

After fully compromising an e-commerce store, an attacker may try to scam its customers, causing business disruption, financial damage, and loss of customer trust. 

Protect your brand with SOCRadar’s External Attack Surface Management (EASM), which can help identify vulnerabilities that put your digital assets at risk and warn you before any consequences arise, allowing you to manage actions and prioritize updates.