On March 22, 2023, a critical vulnerability was discovered in the WooCommerce Payments plugin, an extremely popular ecommerce payment plugin for WordPress with over half a million active installs. Fortunately, the vulnerability was discovered by researcher Michael Mazzolini and responsibly disclosed through HackerOne.
On March 22, 2023, a critical vulnerability was discovered in the WooCommerce Payments plugin, an extremely popular ecommerce payment plugin for WordPress with over half a million active installs.
Fortunately, the vulnerability was discovered by researcher Michael Mazzolini and responsibly disclosed through HackerOne, giving websites time to install the patched version 5.6.2 before full details of the exploit are released on April 6.
Although what is known at this time is limited, what we do know is that the vulnerability allows unauthenticated administrative takeover of websites. Website administrators using this plugin are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites, such as any administrative action taken from unrecognized IP addresses.
According to the official WooCommerce press release, if you operate a WooCommerce/WordPress website with this plugin, it is recommended to perform the following actions:
· Update woocommerce-payments to version 5.6.2 immediately
· Change all administrator
passwords· Rotate your payment gateway and WooCommerce API keys
· It is unlikely that the passwords themselves have been compromised, however, if you reuse passwords across multiple websites, it would be wise to change them as well just in case.
· You can also take the extra step of changing salts within your wp-config file.php if you want to take extra precautions.
WooCommerce itself is still safe to use. Unfortunately, vulnerabilities like this pop up from time to time and are a great reminder of why it’s wise to have automatic updates enabled.
