On March 22, 2023, a significant security flaw was identified in the WooCommerce Payments plugin, a widely used eCommerce payment plugin for WordPress with over 500,000 active installations. Fortunately, white hat security researcher Michael Mazzolini discovered the vulnerability and responsibly disclosed it through HackerOne, allowing websites to install the patched version 5.6.2 before the full details of the exploit were revealed on April 6th.
Although the information is currently limited, it is known that the vulnerability enables unauthorized administrative control of websites. Website administrators using this plugin are urged to apply the patch as soon as possible and monitor their WordPress websites for any suspicious activity, such as administrative actions from unfamiliar IP addresses.
The vulnerability seems to be located in the following file:
./wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php
Based on the plugin’s change history, it appears that the file and its functionality were entirely removed:
Automattic, the organization responsible for WordPress and WooCommerce, is deploying automatic and mandatory updates to all websites utilizing this plugin on their wordpress.com sites.
What should I do?
According to the official WooCommerce press release, if you manage a WooCommerce/WordPress website with this plugin, you should take the following steps:
- Update the plugin woocommerce-payments to version 5.6.2 immediately
- Change all administrator passwords
- Rotate your payment gateway and WooCommerce API keys
- Run a free scan with WPSec.com
- Although it is unlikely that the passwords were compromised, if you use the same passwords across multiple websites, it is wise to change them as well as a precaution. If you want to take additional measures, you can also modify the salts in your wp-config.php file.
- WooCommerce remains safe to use. Regrettably, vulnerabilities like this one occasionally arise, serving as a reminder of the importance of enabling automatic updates.
The WooCommerce security team has responded swiftly to resolve this issue, and they deserve commendation for their efforts.
| Patched WooCommerce Payments Versions |
| 4.8.2 |
| 4.9.1 |
| 5.0.4 |
| 5.1.3 |
| 5.2.2 |
| 5.3.1 |
| 5.4.1 |
| 5.5.2 |
| 5.6.2 |