Security researchers have recorded over one million attempts to compromise a popular WordPress plugin over the past few days.
Wordfence said the attacks began on July 14 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on July 16.
The security vendor said that the attacks exploited a critical WooCommerce Payments plugin vulnerability (CVE-2023-28121), which has a CVSS score of 9.8.
WooCommerce Payments enables users to accept card payments in WooCommerce-powered online stores and is said to have around 600,000 installations.
If exploited, the vulnerability in question would enable a remote attacker to impersonate an administrator and take control of an impacted WordPress site. Wordfence said it has seen threat actors attempting to use their admin privileges to remotely install the WP Console plugin on victim sites.
“Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence,” it added.
Although the number of attack attempts recorded by Wordfence exceeded one million, the vendor claimed that this campaign is relatively targeted.
“Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites,” it explained.
“What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the ‘wp-content/plugins/woocommerce-payments/’ directory of millions of sites.”
The WooCommerce Payments plugin vulnerability was patched by its developers on March 23 with version 5.6.2. It affects versions 4.8.0 and higher.