Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Mar 24, 2023Ravie LakshmananWeb Security / WordPress

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.

The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.

Put differently, the issue could permit an “unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required,” WordPress security company Wordfence said.

The vulnerability appears to reside in a PHP file called “class-platform-checkout-session.php,” Sucuri researcher Ben Martin noted.

Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork.

WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.


Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.


Furthermore, the maintainers of the e-commerce plugin noted that it’s disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

There is no evidence that the vulnerability has been actively exploited to date, but it’s expected to be weaponized on a large scale once a proof-of-concept becomes available, Wordfence researcher Ram Gall cautioned.

Besides updating to the latest version, users are recommended to check for newly added admin users, and if so, change all administrator passwords and rotate payment gateway and WooCommerce API keys.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Cyber Security

Articles You May Like

Microsoft employees’ cybersecurity contributions will factor into their pay
Apple shares pop to record high after company unveils AI software
FDA approves two new Abbott over-the-counter continuous glucose monitors
Realme GT 6 Confirmed to Get Snapdragon 8s Gen 3 SoC Ahead of June 20 India Launch
Cybersecurity CPEs: Unraveling the What, Why & How

Leave a Reply

Your email address will not be published. Required fields are marked *