Automattic, the company behind the WordPress content management system, is force installing a security update on hundreds of thousands of websites running the highly popular WooCommerce Payments for online stores.
The patch addresses a critical vulnerability that can let unauthenticated attackers gain admin access to vulnerable stores.
This flaw was reported by Michael Mazzolini of GoldNetwork, and it impacts WooCommerce Payments 4.8.0 and higher.
WordFence says unauthenticated attackers can exploit the bug to “impersonate an administrator and completely take over a website without any user interaction or social engineering required,” while Patchstack warns that since “this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon.”
The WooCommerce Team patched it in security updates issued earlier today and says it hasn’t found any evidence that this critical bug is being targeted or exploited in the wild.
“At this time we have no evidence that the vulnerability was exploited beyond identifying it in our own security testing program. We do not believe any store or customer data was compromised as a result of this vulnerability,” said Beau Lebens, Head of Engineering at WooCommerce.
“We immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP.”
Security update rolling out to some vulnerable sites
Vulnerable WooCommerce online shops hosted on WordPress.com are in the process of being updated or have already been updated to patch the vulnerability.
“We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible,” Lebens added.
Admins who host a WordPress installation on their own servers will have to manually update WooCommerce using the following procedure:
- From your WP Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.
- The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed.
- If a new version is available for download, you should see a notice guiding you to update WooCommerce Payments — please go ahead and do so.
Patched WooCommerce Payments versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
Check for signs of compromise
After securing their stores, admins are advised to check for newly added admin users, and suspicious posts added to their websites.
If you find any evidence of unexpected activity, you should immediately update all admin passwords and rotate Payment Gateway and WooCommerce API keys.
“We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration,” Lebens said.
“We encourage anyone who supports or develops for other WooCommerce merchants to share this information and to make sure that their clients who have WooCommerce Payments installed are using the most updated version of WooCommerce Payments.”
This WordPress plugin has more than 500,000 active installations and can be used to provide store customers with easy-to-configure and manage payment checkout.