Critical flaw in WooCommerce Payments plugin allows site takeover

A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites.

On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2.

The WooCommerce Payments plugin is a fully integrated payment solution for the WooCommerce open source e-commerce platform, the plugin is developed by Automattic. WooCommerce Payments is installed on over 500,000 sites.

The researchers analyzed the patch and determined that the development team behind the plugin has removed a portion of code that could have allowed an unauthenticated attacker to impersonate an administrator and completely take over a WordPress website without any user interaction.

The vulnerability impacts plugin versions 4.8.0 through 5.6.1, it was first discovered by Michael Mazzolini from penetration testing firm GoldNetwork.

“We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium, Wordfence Care, and Wordfence Response customers.” reads the advisory published by Wordfence.

“Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately.”

According to the analysis conducted by the WordPress security firm Sucuri, the vulnerability resides in a PHP file called “class-platform-checkout-session.php.”

Automattic is issuing automatic/forced updates of all WordPress websites using its plugin.

WooCommerce recommends admins of websites using the plugin to:

Update woocommerce-payments to version 5.6.2 immediately
Change all administrator passwords
Rotate your payment gateway and WooCommerce API keys

The good news is that there is no evidence that the vulnerability has been actively exploited in the wild, however, experts warn that threat actors could use it very soon.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.