Critical WooCommerce Payments Vulnerability Leads to Site Takeover
A critical vulnerability in the open-source WooCommerce Payments plugin for WordPress could allow attackers to impersonate any user on the site and potentially take over site administrator accounts.
Developed by Automattic and installed on more than 500,000 websites, the WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce that provides transaction management directly from the store’s dashboard.
On Thursday, Automattic updated WooCommerce Payments to version 5.6.2 to address a privilege escalation vulnerability that could allow an unauthenticated attacker to gain control of an administrator’s account and completely take over a vulnerable website.
“This could allow a malicious user to escalate their regular guest privileges to the privileges of an administrator and further exploit the website. As this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon,” according to an advisory from WordPress security firm Patchstack.
According to Defiant’s Wordfence team, the issue exists in “functionality designed to integrate with the WooCommerce Payment Platform”. No further details on the security defect have been released, given that it is rated ‘critical severity’ (CVSS score of 9.8).
Reported by Michael Mazzolini of GoldNetwork, the vulnerability could potentially impact WooCommerce’s new WooPay payment checkout service (currently in beta testing). The beta program has been temporarily disabled.
For sites running WooCommerce Payments 4.8.0 through 5.6.1 that are hosted on WordPress.com, automatic updates are being rolled out. The administrators of all other WordPress websites using a vulnerable plugin version need to update their installations manually.
“All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on WordPress.com and which have not updated to a patched version, are still potentially vulnerable to this issue,” the WooCommerce team said.
WooCommerce says it currently has no evidence that this vulnerability is being exploited in attacks or that store or customer data might have been compromised because of it.
Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites
Related: Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks
Related: WordPress Sites Hacked via Zero-Day Vulnerability in WPGateway Plugin