A serious security flaw has been discovered in the open-source WooCommerce Payments plugin for WordPress, which could allow attackers to pretend to be any user on the website and potentially take control of site administrator accounts.
The WooCommerce Payments plugin, developed by Automattic, is used by over 500,000 websites and provides a payment solution for WooCommerce, allowing store owners to manage transactions from their dashboard.
To address this vulnerability, Automattic released an update to the plugin, version 5.6.2. The flaw allowed unauthenticated attackers to gain access to an administrator’s account without proper credentials, potentially leading to a complete takeover of the website.
The security issue was found in the part of the plugin that integrates with the WooCommerce Payment Platform. The severity of the flaw is rated as critical, indicating its high potential for exploitation (CVSS score of 9.8).
The person who reported the vulnerability is Michael Mazzolini of GoldNetwork. It may also impact WooCommerce’s new WooPay payment checkout service, which is currently in beta testing. Due to the seriousness of the situation, the beta program has been temporarily disabled.
For sites hosted on WordPress.com and running WooCommerce Payments 4.8.0 through 5.6.1, automatic updates have been initiated. However, administrators of other WordPress websites using the affected plugin version need to manually update their installations to secure their websites.
The WooCommerce team mentioned that they haven’t found any evidence of the vulnerability being exploited or any customer data being compromised due to this issue. Nevertheless, it’s essential for website owners to update their plugins promptly to protect their sites from potential attacks.
Reference: https://bit.ly/3rHhvvo