Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical WooCommerce Payments Vulnerability Leads to Site Takeover

A critical-severity flaw in the WooCommerce Payments WordPress plugin could allow attackers to take over site administrator accounts.

A critical vulnerability in the open-source WooCommerce Payments plugin for WordPress could allow attackers to impersonate any user on the site and potentially take over site administrator accounts.

Developed by Automattic and installed on more than 500,000 websites, the WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce that provides transaction management directly from the store’s dashboard.

On Thursday, Automattic updated WooCommerce Payments to version 5.6.2 to address a privilege escalation vulnerability that could allow an unauthenticated attacker to gain control of an administrator’s account and completely take over a vulnerable website.

“This could allow a malicious user to escalate their regular guest privileges to the privileges of an administrator and further exploit the website. As this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon,” according to an advisory from WordPress security firm Patchstack.

According to Defiant’s Wordfence team, the issue exists in “functionality designed to integrate with the WooCommerce Payment Platform”. No further details on the security defect have been released, given that it is rated ‘critical severity’ (CVSS score of 9.8).

Reported by Michael Mazzolini of GoldNetwork, the vulnerability could potentially impact WooCommerce’s new WooPay payment checkout service (currently in beta testing). The beta program has been temporarily disabled.

For sites running WooCommerce Payments 4.8.0 through 5.6.1 that are hosted on WordPress.com, automatic updates are being rolled out. The administrators of all other WordPress websites using a vulnerable plugin version need to update their installations manually.

“All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on WordPress.com and which have not updated to a patched version, are still potentially vulnerable to this issue,” the WooCommerce team said.

Advertisement. Scroll to continue reading.

WooCommerce says it currently has no evidence that this vulnerability is being exploited in attacks or that store or customer data might have been compromised because of it.

Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

Related: Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

Related: WordPress Sites Hacked via Zero-Day Vulnerability in WPGateway Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.