CVE-2023-28121

CRITICAL EXPLOITED IN THE WILD NUCLEI

WooCommerce Payments < 4.8.2 and WooPayments < 5.6.2 - Unauthenticated Privilege Escalation via Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-28121 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 9 public exploits from researchers including gbrsh, im-hanzou, luisdevpentest, including a Metasploit module auxiliary/scanner/http/wp_woocommerce_payments_add_user. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates an unauthorized admin access vulnerability in WooCommerce Payments by leveraging a flawed endpoint to create an administrator account without authentication. It checks the plugin version and sends a crafted POST request to add a new admin user.

Description

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Exploits (9)

nomisec WORKING POC 42 stars
by gbrsh · remote
https://github.com/gbrsh/CVE-2023-28121

The exploit demonstrates an unauthorized admin access vulnerability in WooCommerce Payments by leveraging a flawed endpoint to create an administrator account without authentication. It checks the plugin version and sends a crafted POST request to add a new admin user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments < 5.6.2
No auth needed
Prerequisites: Target must have WooCommerce Payments plugin installed and vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 11 stars
by im-hanzou · client-side
https://github.com/im-hanzou/Mass-CVE-2023-28121

This repository contains functional Python scripts that exploit CVE-2023-28121, an unauthenticated privilege escalation vulnerability in WooCommerce Payments < 5.6.2. The scripts automate the process of adding an administrator user by sending crafted HTTP requests to vulnerable WordPress sites.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments < 5.6.2
No auth needed
Prerequisites: List of target WordPress sites · Python environment with required libraries
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by luisdevpentest · poc
https://github.com/luisdevpentest/CVE-2023-28121-WordPress-Privilege-Escalation

The repository provides a functional proof-of-concept for CVE-2023-28121, demonstrating an authentication bypass in WooCommerce Payments that allows unauthenticated users to create administrator accounts via a manipulated HTTP header.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments (WordPress plugin)
No auth needed
Prerequisites: WooCommerce Payments plugin installed · REST API accessible
devstral-2 · analyzed Apr 30, 2026 Full analysis →
nomisec WORKING POC 1 stars
by rio128128 · client-side
https://github.com/rio128128/Mass-CVE-2023-28121-kdoec

This repository contains a functional Python script that exploits CVE-2023-28121, an unauthenticated privilege escalation vulnerability in WooCommerce Payments < 5.6.2. The script checks for vulnerable versions and adds an admin user by sending crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WooCommerce Payments < 5.6.2
No auth needed
Prerequisites: Target must be running WooCommerce Payments < 5.6.2 · Target must be accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by 0axz-tools · remote
https://github.com/0axz-tools/CVE-2023-28121

The repository contains minimal content with no actual exploit code, only a vague command referencing a non-existent 'main.py' and a Telegram flag, which is a common lure tactic. No technical details about CVE-2023-28121 are provided.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by sug4r-wr41th · remote
https://github.com/sug4r-wr41th/CVE-2023-28121

The repository contains a functional Python script that exploits CVE-2023-28121, an authentication bypass vulnerability in WooCommerce Payments (WordPress plugin) versions <= 5.6.1. The exploit sends a crafted POST request to create an administrator user without proper authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments (WordPress plugin) <= 5.6.1
No auth needed
Prerequisites: Target must have WooCommerce Payments plugin <= 5.6.1 installed · WordPress REST API must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Jenderal92 · poc
https://github.com/Jenderal92/WP-CVE-2023-28121

The repository contains a functional Python exploit for CVE-2023-28121, which targets an unauthenticated privilege escalation vulnerability in WooCommerce Payments < 5.6.2. The exploit automates the creation of an administrator account by sending crafted HTTP requests to vulnerable WordPress sites.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments < 5.6.2
No auth needed
Prerequisites: Target running WooCommerce Payments < 5.6.2 · Access to the target WordPress site
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 1337nemojj · remote
https://github.com/1337nemojj/CVE-2023-28121

The repository contains a functional exploit for CVE-2023-28121, an authentication bypass vulnerability in WooCommerce Payments plugin. The exploit leverages the `X-WCPAY-PLATFORM-CHECKOUT-USER` header to impersonate an administrator and create a new admin user via the WordPress REST API.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments plugin for WordPress (versions 4.8.0 - 5.6.1)
No auth needed
Prerequisites: Target must have WooCommerce Payments plugin version 4.8.0 - 5.6.1 installed · WordPress REST API must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by h00die, Michael Mazzolini, Julien Ahrens · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_woocommerce_payments_add_user.rb

This Metasploit module exploits an authentication bypass in WooCommerce Payments plugin (CVE-2023-28121) to create an unauthorized administrator account by leveraging the X-WCPAY-PLATFORM-CHECKOUT-USER header.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WooCommerce Payments plugin for WordPress (versions 4.8-5.6.2)
No auth needed
Prerequisites: Valid WordPress site with vulnerable WooCommerce Payments plugin · Knowledge of an existing administrator user ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WooCommerce Payments - Unauthorized Admin Access
CRITICALVERIFIEDby DhiyaneshDK
Shodan: http.html:/wp-content/plugins/woocommerce-payments
FOFA: body=/wp-content/plugins/woocommerce-payments

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.8692
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-07-17
InTheWild.io 2023-07-18
CWE
CWE-287
Status published
Products (5)
automattic/woocommerce_payments 4.8.0 - 4.8.2
automattic/woopayments 4.9.0
automattic/woopayments 5.3.0
automattic/woopayments 5.4.0
automattic/woopayments 5.6.0 - 5.6.2
Published Apr 12, 2023
Tracked Since Feb 18, 2026