Keypoints
- Critical Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium (<= 3.19.0) enables unauthenticated PHP payload uploads that can install a backdoor and allow remote code execution.
- Exploitation relies on the admin_init flow via admin-post.php, with no capability or CSRF checks and no file-type restrictions.
- A patch exists (latest version 3.21.0) and Wordfence firewall helps block dangerous uploads, though exploitation can still occur in other ways.
- Observed payloads include kon.php/1tes.php (loading a remote file manager from shell.prinsh.com), b.php (uploader), and admin.php (backdoor) with specific hashes.
- Attack traffic originated from many IPs, led by 103.138.108.15 and 188.66.0.135, peaking after disclosure and continuing over time.
- Recommendations emphasize updating to the patched version, leveraging firewall protections, and seeking incident response if compromised.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ‘allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin.’
- [T1105] Ingress Tool Transfer – ‘payload in the file_import_csv file parameter’ uploaded and moved onto the server to enable further action; ‘move_uploaded_file’ used to place the file on disk.
- [T1059] Command and Scripting Interpreter – ‘back door’ and ‘Remote Code Execution’ allow attackers to run code on the server via the uploaded PHP payload.
Indicators of Compromise
- [IP Address] Observed attacker IPs – 103.138.108.15, 188.66.0.135
- [Domain] Remote loader domain – shell.prinsh.com
- [File hash] Normalized sha256 hashes – 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c, 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19, and 2 more hashes
- [File name] Malicious scripts – kon.php, 1tes.php, b.php, admin.php
- [URL] Web endpoint used for exploitation – wp-admin/admin-post.php