Automattic, publishers of the WooCommerce plugin, announced the discovery and patch of a critical vulnerability in the WooCommerce Payments plugin.
The vulnerability allows an attacker to gain Administrator level credentials and perform a full site-takeover.
Administrator is the highest permission user role in WordPress, granting full access to a WordPress site with the ability to create more admin-level accounts as well as the ability to delete the entire website.
What makes this particular vulnerability of great concern is that it’s available to unauthenticated attackers, which means that they don’t first have to acquire another permission in order to manipulate the site and obtain admin-level user role.
WordPress security plugin maker Wordfence described this vulnerability:
“After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.”
The Sucuri Website security platform published a warning about the vulnerability that goes into further details.
Sucuri explains that the vulnerability appears to be in the following file:
/wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php
They also explained that the “fix” implemented by Automattic is to remove the file.
Sucuri observes:
“According to the plugin change history it appears that the file and its functionality was simply removed altogether…”
The WooCommerce website published an advisory that explains why they chose to completely remove the affected file:
“Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.”
The WooCommerce Payment Plugin vulnerability was discovered on March 22, 2023 by a third party security researcher who notified Automattic.
Automattic swiftly issued a patch.
Details of the vulnerability will be released on April 6, 2023.
That means any site that has not updated this plugin will become vulnerable.
What Version of WooCommerce Payments Plugin is Vulnerable
WooCommerce updated the plugin to version 5.6.2. This is considered the most up to date and non-vulnerable version of the website.
Automattic has pushed a forced update however it’s possible that some sites may not have received it.
It is recommended that all users of the affected plugin check that their installations are updated to version WooCommerce Payments Plugin 5.6.2
Once the vulnerability is patched, WooCommerce recommends taking the following actions:
“Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest:
Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites.
Rotating any Payment Gateway and WooCommerce API keys used on your site. Here’s how to update your WooCommerce API keys. For resetting other keys, please consult the documentation for those specific plugins or services.”
Read the WooCommerce vulnerability explainer:
Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know
