Update WooCommerce Plugin Now!
The Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover, and affects 500,000 users.
If your site has Wordfence Premium, Wordfence Care, or Wordfence Response installed, your site will have received a firewall rule today, March 23, 2023, protecting it against this vulnerability. If your site is running the free version of Wordfence, the rule will become available 30 days from now, on April 22, 2023.
WooCommerce Payment Plugin Works?
WooCommerce is an open-source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress.
It claims securely accept major credit and debit cards, and allow customers to pay you directly without leaving your WooCommerce store. View and manage transactions from one convenient place – your WordPress dashboard.
WooCommerce Payments Vulnerability Information
Description: Authentication Bypass and Privilege Escalation Affected Plugin: WooCommerce Payments Plugin Slug: woocommerce-payments Plugin Developer: Automattic Affected Versions: 4.8.0 – 5.6.1 CVE ID: Pending Information CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Fully Patched Version: 5.6.2 Researcher: Michael Mazzolini
The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account. We are withholding additional details at this time to give users time to update.
According to WooCommerce, the vulnerability was disclosed by Michael Mazzolini of GoldNetwork via their HackerOne program.
What To Do?
- You need to Update latest version of the WooCommerce Payments plugin, a new version 5.6.2.
- Additionally, you should make sure all administrator passwords have been changed, as well as rotating payment gateway and WooCommerce API keys.
- WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.
This vulnerability allows unauthenticated attackers to completely take over a vulnerable site, and we expect to see mass exploitation in the near future, and recommend that all users update to the latest version available, which is 5.6.2 at the time of this writing.
Also See – Website Security