Hackers find a bug in WordPress’ gift card plugin that has 50K installed

Hackers have targeted a flaw in the YITH WooCommerce gift cards Premium plugin, which is used on more than 50,000 WordPress websites.

The plugin YITH WooCommerce Premium Gift Cards allows website owners to sell gift certificates in their online shops.

Exploiting this vulnerability (tracked as [CVSS v3] 9.8] allows unauthenticated attackers upload files to vulnerable websites, which includes web shells that grant full access.

On November 22nd 2022, CVE-202-25359 was made public. It affected all versions of plugins up to version 3.19.0. CVE-2022-45359 was disclosed to the public on November 22, 2022. It affected all plugin versions up to 3.19.0.

Many sites continue to use an older version that is vulnerable, so hackers are already working on exploits to hack them.

Wordfence security specialists say that hackers are actively attempting to exploit WordPress’ vulnerability. They can upload backdoors to sites and execute remote code, as well as takeover attacks.

Attacks are actively exploited

Wordfence reverse-engineered an exploit hackers are using in attacks, finding that the issue lies in the plugin’s “import_actions_from_settings_panel” function that runs on the “admin_init” hook.

This function also does not conduct CSRF and capability checks on vulnerable versions.

These two issues make it possible for unauthenticated attackers to send POST requests to “/wp-admin/admin-post.php” using the appropriate parameters to upload a malicious PHP executable on the site.

“It is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.” – .

CVE-2022-45359 exploit code


Logs show malicious requests as unintended POST requests coming from unknown IP addresses. This should indicate that site administrators are being attacked.

Wordfence identifies the following files as uploaded:

  • kon.php/1tes.php This file loads the “marijuana Shell” file manager from memory. It can be accessed remotely (shell[.]prinsh[.]. ]com)
  • .php. Simple uploader file
  • admin.php is password-protected backdoor

Analysts report that the majority of attacks took place in November, before administrators could fix it. However, a second peak was detected on December 14, 2022.

The IP address launched 19,604 exploit attempts against 10,936 websites. The second largest IP address was which launched 1,220 attacks on 928 WordPress websites.

Exploitations are ongoing. Users of the YITH WooCommerce Premium plugin for Gift Cards are advised to upgrade to 3.21 immediately.