Over 500,000 websites using the WooCommerce Payments plugin for WordPress were affected by a critical security flaw that could allow bad actors to gain unauthorized admin access to these websites.
The vulnerability has been discovered in the “class-platform-checkout-session.php” PHP file and affects versions 4.8.0 through 5.6.1. If left unresolved, it could permit an unauthenticated attacker to impersonate an administrator and take over a website without any user interaction or social engineering required.
Patches have been released to address the vulnerability, including versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2. WordPress has also worked with WooCommerce to auto-update sites using affected versions of the software.
The maintainers of the e-commerce plugin have also disabled the WooPay beta program due to concerns that the security defect could impact the payment checkout service.
While there is currently no evidence that the vulnerability has been actively exploited, researchers warn that it could be weaponized on a large scale once a proof-of-concept becomes available.
Users are recommended to update to the latest version, check for newly added admin users, and change all administrator passwords and rotate payment gateway and WooCommerce API keys.
According to the researchers, this incident highlights the need for website owners to prioritize security and stay vigilant about security updates and patches.
Hackers are constantly searching for vulnerabilities, and it’s essential to keep software up-to-date to prevent unauthorized access and data breaches.
E-commerce sites can be particularly vulnerable to attacks, as they deal with sensitive customer information such as payment details and personal data.
