Cybersecurity researchers have identified a critical severity vulnerability that lies in the YITH WooCommerce Gift Cards premium WordPress plugin. According to research, the plug is being exploited in attacks. The plugin has more than 50,000 installations, and allows online merchants to create gift cards for use on their ecommerce stores. The vulnerability was already reported back in November and a patch was subsequently released. The vulnerability has a CVSS score of 9.8 out of 10 and is tracked as CVE-2022-45359.
The vulnerability allows for arbitrary file upload, which allows attackers to upload executable files to the WordPress sites using the plugin without the released patch. No authentication is required for an attacker to exploit the flaw, security researchers at Wordfence say. An attacker can exploit the vulnerability to install a backdoor on a vulnerable installation, leading to remote code execution and site takeover.
Read More: Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks