Automattic, the publishers of the WooCommerce plugin, recently announced the discovery and patching of a critical vulnerability in the WooCommerce Payments plugin.
This vulnerability allows an attacker to gain Administrator-level credentials and execute a full site takeover. The role of an Administrator is the highest permission user role in WordPress, offering complete access to a WordPress site, including the ability to create more admin-level accounts and delete the entire website.
What raises significant concern about this vulnerability is that it is accessible to unauthenticated attackers. This means that attackers do not need to acquire any prior permissions to manipulate the site and obtain admin-level user roles.
WordPress security plugin maker Wordfence described this vulnerability:
> “After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.”
The Sucuri Website security platform also published a warning that delves into further details about the vulnerability.
Sucuri explained that the vulnerability seems to be in the following file:
/wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php
They also noted that the fix implemented by Automattic was to remove this file.
Sucuri observed:
> “According to the plugin change history it appears that the file and its functionality was simply removed altogether…”
Additionally, the WooCommerce website published an advisory explaining why they chose to completely remove the affected file:
> “Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.”
The WooCommerce Payment Plugin vulnerability was discovered on March 22, 2023, by a third-party security researcher who notified Automattic. Automattic swiftly issued a patch, with detailed vulnerability information scheduled for release on April 6, 2023.
This means any site that has not updated this plugin will become vulnerable.
### What Version of WooCommerce Payments Plugin is Vulnerable
WooCommerce updated the plugin to version 5.6.2, which is considered the most up-to-date and secure version. While Automattic has pushed a forced update, some sites may not have received it.
It is recommended that all users of the affected plugin check their installations to ensure they are updated to WooCommerce Payments Plugin version 5.6.2.
### Once the vulnerability is patched, WooCommerce recommends taking the following actions:
> “Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest:
>
> – Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites.
> – Rotating any Payment Gateway and WooCommerce API keys used on your site.”
Consult the relevant documentation for instructions on updating your WooCommerce API keys or resetting other specific keys and services.
### Read the WooCommerce vulnerability explainer:
Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know
