Social News Hubb
Advertisement Banner
  • Home
  • Updates
  • Upgrades
  • Contact
No Result
View All Result
  • Home
  • Updates
  • Upgrades
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Updates

WordPress WooCommerce Payments Plugin Vulnerability

admin by admin
March 24, 2023
in Updates


Automattic, publishers of the WooCommerce plugin, announced the discovery and patch of a critical vulnerability in the WooCommerce Payments plugin.

The vulnerability allows an attacker to gain Administrator level credentials and perform a full site-takeover.

Administrator is the highest permission user role in WordPress, granting full access to a WordPress site with the ability to create more admin-level accounts as well as the ability to delete the entire website.

What makes this particular vulnerability of great concern is that it’s available to unauthenticated attackers, which means that they don’t first have to acquire another permission in order to manipulate the site and obtain admin-level user role.

WordPress security plugin maker Wordfence described this vulnerability:

“After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.”

The Sucuri Website security platform published a warning about the vulnerability that goes into further details.

Sucuri explains that the vulnerability appears to be in the following file:

/wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php

They also explained that the “fix” implemented by Automattic is to remove the file.

Sucuri observes:

“According to the plugin change history it appears that the file and its functionality was simply removed altogether…”

The WooCommerce website published an advisory that explains why they chose to completely remove the affected file:

“Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.”

The WooCommerce Payment Plugin vulnerability was discovered on March 22, 2023 by a third party security researcher who notified Automattic.

Automattic swiftly issued a patch.

Details of the vulnerability will be released on April 6, 2023.

That means any site that has not updated this plugin will become vulnerable.

What Version of WooCommerce Payments Plugin is Vulnerable

WooCommerce updated the plugin to version 5.6.2. This is considered the most up to date and non-vulnerable version of the website.

Automattic has pushed a forced update however it’s possible that some sites may not have received it.

It is recommended that all users of the affected plugin check that their installations are updated to version WooCommerce Payments Plugin 5.6.2

Once the vulnerability is patched, WooCommerce recommends taking the following actions:

“Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest:

Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites.

Rotating any Payment Gateway and WooCommerce API keys used on your site. Here’s how to update your WooCommerce API keys. For resetting other keys, please consult the documentation for those specific plugins or services.”

Read the WooCommerce vulnerability explainer:

Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know





Source link

Previous Post

Growing Always, in All Ways

Next Post

11 of the Most Important TikTok Trends to Watch in 2023

Next Post

11 of the Most Important TikTok Trends to Watch in 2023

Recommended

10 Tried & Tested Social Strategies To Smash Your Black Friday Sales

7 months ago

Full YouTube Statistics Checklist for 2023

3 months ago

© Social News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • Updates
  • Upgrades
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • Updates
  • Upgrades
  • Contact

© 2022 Social News Hubb All rights reserved.