Critical vulnerability discovered in WooCommerce Payments on WordPress
Automattic, the company responsible for the WordPress content management system, has issued a mandatory security update to patch a critical vulnerability in WooCommerce Payments, a popular online payment system. The flaw, reported by Michael Mazzolini of GoldNetwork, affects versions 4.8.0 and higher and could allow unauthenticated attackers to gain admin access to vulnerable online stores. This could result in the complete takeover of a website without any user interaction. Experts warn that since the vulnerability requires no authentication, it is likely to be exploited on a mass scale soon.
The WooCommerce team has issued a security update that patches the vulnerability. According to Beau Lebens, Head of Engineering at WooCommerce, the team has found no evidence of the vulnerability being targeted or exploited in the wild, and no store or customer data was compromised. However, Automattic has initiated the security update on hundreds of thousands of websites, including those hosted on WordPress.com, Pressable, and WPVIP, to ensure their safety.
Vulnerable WooCommerce online shops being updated
Admins who host a WordPress installation on their own servers will have to manually update their WooCommerce Payments using the provided procedure. Meanwhile, admins of vulnerable WooCommerce online stores hosted on WordPress.com are already in the process of being updated or have already been updated. The patch fixes versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
After securing their stores, admins are advised to check for any suspicious activity, including newly added admin users and suspicious posts. In case of any unexpected activity, admins should immediately update their admin passwords and rotate Payment Gateway and WooCommerce API keys. They are also encouraged to change any private or secret data stored in their WordPress/WooCommerce database, including API keys, public/private keys for payment gateways, and more, depending on their particular store configuration.
Admins advised to check for signs of compromise after WooCommerce patch
The WooCommerce Payments vulnerability could pose a significant threat to online stores, which is why it is essential to take immediate action to protect against it. If you support or develop for other WooCommerce merchants, be sure to share this information and ensure that they are using the latest version of WooCommerce Payments to keep their stores secure.