Patches have been made available for a significant security vulnerability that affects the WooCommerce Payments plugin used by more than 500000 websites on WordPress.
According to a statement released on March 23rd, 2023, if not rectified, the vulnerability could allow a malicious individual to obtain unauthorized administrative privileges for affected stores. This issue affects versions 4.8.0 through 5.6.1.
In other words, Wordfence, a company specializing in WordPress security, stated that the problem could potentially allow an unauthorized individual to behave as an administrator and gain full control of a website without requiring any user interaction or manipulation.
According to Ben Martin, a researcher at Sucuri, the weakness seems to be located in a PHP document known as "class-platform-checkout-session.php".
Michael Mazzolini from GoldNetwork, a Swiss company that conducts penetration testing, is recognized for uncovering and notifying about the vulnerability.
According to WooCommerce, they collaborated with WordPress to automatically update sites that were utilizing contaminated versions of their software. The updated versions that have been fixed include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2 versions of the software package for the benefit of the users’ security and safety purposes as well as platform reliability and functionality improvements in their systems management activities on their sites or websites and online platforms hosted on WooCommerce's e-commerce portal infrastructure platform system environment suite across globally sourced data centers worldwide in different regions across the world, irrespective of time zones or regions .
In addition, the individuals responsible for managing the e-commerce plugin have announced that they will be discontinuing their participation in the WooPay beta program due to fears that the security vulnerability may negatively impact the payment checkout service.
Ram Gall, a researcher at Wordfence, has warned that although no proof of exploitation of the vulnerability is currently available, there are expectations that it will be widely used as a weapon once a proof-of-concept has been established.
In addition to updating their software to the latest version, users should also check for any new administrator accounts. If such accounts exist, all administrator passwords should be changed and payment gateway and WooCommerce API keys should be rotated.