As per the company’s advisory on March 23, 2023, an unaddressed vulnerability may allow a malicious individual to attain unapproved admin access to affected stores. Versions 4.8.0 through 5.6.1 are impacted by this issue.
In other words, according to WordPress security firm Wordfence, an “unauthenticated attacker” could potentially take control of a website without the need for social engineering or user interaction through an authentication bypass issue in WooCommerce Payments. This flaw would allow the attacker to impersonate an administrator and gain complete control of the site. For more information, please visit Wordfence’s blog post on the critical issue.
According to Ben Martin, a researcher at Sucuri, a critical vulnerability has been discovered in the WooCommerce Payments system, and it seems to be located in a PHP file called “class-platform-checkout-session.php.” You can read more about this issue on Sucuri’s blog.
Michael Mazzolini, who works for the Swiss penetration testing company GoldNetwork, has been credited with identifying and disclosing the vulnerability.
WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
In addition, the team responsible for managing the e-commerce plugin has announced the discontinuation of the WooPay beta program due to their apprehensions regarding the possible repercussions of the security flaw on the payment checkout service. Click here to learn more.
Ram Gall, a researcher at Wordfence, has cautioned that while there is currently no evidence of active exploitation of the vulnerability, it is expected to be used widely once a proof-of-concept is developed.
In addition to upgrading to the most recent version, it is suggested that users also verify for any newly added admin users. If any are detected, it is advised to modify all administrator passwords and rotate payment gateway and WooCommerce API keys.