WooCommerce Payment Plugin vulnerability Fixed for WordPress
Fixes have been made available for a serious security hole affecting the WordPress plugin WooCommerce Payments, which is used by thousands of websites.
The business issued a warning on March 23, 2023, stating if the weakness is not fixed, a malicious actor may be able to get unauthorised admin access to the stores that are affected. Versions 4.8.0 through 5.6.1 are affected.
According to WordPress security company Word fence, the flaw could allow a “unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.”
According to Sucuri researcher Ben Martin, the flaw appears to be in a PHP code called “class-platform-checkout-session.”
The developer of WordPress, Automatic, has released a security update for the widely used WooCommerce Payments plugin, which is present on more than 500,000 websites.
The patch fixes a serious flaw that lets attackers access affected sites’ administrative areas without being authenticated.
According to Word fence, a WordPress security provider, the vulnerability might allow “an unauthorised attacker to impersonate an administrator and entirely take over a website without requiring any user interaction.
According to WooCommerce, there is no proof that this serious vulnerability has been used in attacks, and neither online stores nor customer data have been stolen as a result of this problem.
In order to automatically upgrade sites utilising WooCommerce Payments 4.8.0 to 5.6.1 to the corrected versions, we collaborated with the WordPress plugins team and delivered a patch. As many online stores as possible are currently receiving the update automatically, according to WooCommerce.
The Swiss penetration testing company Gold Network’s Michael Mazzolini is credited with finding and disclosing the vulnerability.
Moreover, WooCommerce claimed to cooperate with WordPress to automatically update websites running vulnerable versions of the programme. There are 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2 patched versions.
In addition, the WooPay beta programme has been disabled by the plugin’s developers because they are worried that the security flaw could negatively affect the payment checkout service.
Although there is currently no proof that the vulnerability has been actively exploited, Word fence researcher Ram Gall warned that once a proof-of-concept is made public, the vulnerability is likely to be weaponized widely.
Users are advised to check for recently added admin users, and if they have, to change all administrator passwords, rotate payment gateway and WooCommerce API keys, in addition to updating to the most recent version.
Administrators are encouraged to verify their websites for suspicious posts and newly added admin users after safeguarding their stores.
All administrator passwords should be changed right away, including with the Payment Gateway and WooCommerce API keys, if you notice any strange behaviour.
Customers of stores can use this WordPress plugin, which has more than 500,000 active installs, to offer them an easy-to-configure and manageable payment checkout.
Author: Priyanka Sonawane