A serious authentication vulnerability existed in the WordPress plugin WooCommerce Payments, exploiting which could allow rogue access to admin privileges. The plugin developers patched the vulnerability, making WordPress force install plugin updates.
WooCommerce Payments Plugin Vulnerability Received Sneaky Fix
Security researcher Michael Mazzolini of GoldNetwork caught an authentication bypass vulnerability in the WooCommerce Payments WordPress plugin.
The plugin currently boasts over 500,000 active installations, which suggests any vulnerabilities in the plugin threaten the security of thousands of websites.
As elaborated in a post from the plugin developers, the researcher reported the vulnerability through their HackerOne program, prompting the developers to patch the flaw.
While the developers released the vulnerability patch with the WooCommerce Payments plugin version 5.6.2, they didn’t explain the details in the changelog besides mentioning a two-word “Security update” description.
However, Wordfence dived into the details and elaborated on the flaw. As explained in their post, the plugin had a critical severity authentication bypass issue that could let an unauthenticated adversary impersonate any site user. Once done, the attacker could gain elevated privileges on the site, including admin access, which could threaten the target site’s security. The attacker could execute various actions or take over the site with admin access.
As the report gained traction, WooCommerce Payments plugin developers shared details via their own post, explaining that the issue affected plugin versions 4.8.0 through 5.6.1. Hence, the developers rolled out the fix with version 5.6.2, ensuring auto-updates to site users after working with WordPress.org Plugins Team. So while the site admins running the vulnerable plugin versions will automatically receive the updates, the developers still urge the users to update their sites quickly to avoid exploits.
Team Wordfence also stated that the vulnerability could severely threaten websites’ security if a PoC becomes available.
Alongside updating websites, the plugin developers urge users to update their admin account credentials and rotate Payment Gateway and WooCommerce API keys to eliminate risks.
Let us know your thoughts in the comments.