Connect with us

Hi, what are you looking for?



Critical WooCommerce Payments Vulnerability Leads to Site Takeover

A critical-severity flaw in the WooCommerce Payments WordPress plugin could allow attackers to take over site administrator accounts.

A critical vulnerability in the open-source WooCommerce Payments plugin for WordPress could allow attackers to impersonate any user on the site and potentially take over site administrator accounts.

Developed by Automattic and installed on more than 500,000 websites, the WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce that provides transaction management directly from the store’s dashboard.

On Thursday, Automattic updated WooCommerce Payments to version 5.6.2 to address a privilege escalation vulnerability that could allow an unauthenticated attacker to gain control of an administrator’s account and completely take over a vulnerable website.

“This could allow a malicious user to escalate their regular guest privileges to the privileges of an administrator and further exploit the website. As this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon,” according to an advisory from WordPress security firm Patchstack.

According to Defiant’s Wordfence team, the issue exists in “functionality designed to integrate with the WooCommerce Payment Platform”. No further details on the security defect have been released, given that it is rated ‘critical severity’ (CVSS score of 9.8).

Reported by Michael Mazzolini of GoldNetwork, the vulnerability could potentially impact WooCommerce’s new WooPay payment checkout service (currently in beta testing). The beta program has been temporarily disabled.

For sites running WooCommerce Payments 4.8.0 through 5.6.1 that are hosted on, automatic updates are being rolled out. The administrators of all other WordPress websites using a vulnerable plugin version need to update their installations manually.

Advertisement. Scroll to continue reading.

“All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on and which have not updated to a patched version, are still potentially vulnerable to this issue,” the WooCommerce team said.

WooCommerce says it currently has no evidence that this vulnerability is being exploited in attacks or that store or customer data might have been compromised because of it.

Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

Related: Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

Related: WordPress Sites Hacked via Zero-Day Vulnerability in WPGateway Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.