Vulnerability allows attackers to impersonate any user and puts as many as 500,000 sites at risk of takeover.

PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover

The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin updated to version 5.6.2 with a changelog entry marked simply “Security update.”

After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.

We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium,  Wordfence Care, and Wordfence Response customers.

Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.

Vulnerability Information

Description: Authentication Bypass and Privilege Escalation 

Affected Plugin: WooCommerce Payments

Plugin Slug: woocommerce-payments

Plugin Developer: Automattic

Affected Versions: <= 5.6.1

CVE ID: N/A

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 5.6.2

The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account.

We are withholding additional details at this time to give users time to update.

We do not yet know whether this vulnerability was discovered internally by Automattic or reported by an external researcher, and have not yet determined whether it is actively being exploited in the wild.

We expect to see large-scale attacks targeting this vulnerability once a proof of concept becomes available to attackers.

Conclusion

In today’s PSA we are alerting our user base to a critical-severity vulnerability in WooCommerce Payments, a plugin installed on over 500,000 sites. This vulnerability allows unauthenticated attackers to completely take over a vulnerable site, and we expect to see mass exploitation in the near future. We recommend that all users update to the latest version available, which is 5.6.2 at the time of this writing.

If your site has Wordfence Premium, Wordfence Care, or Wordfence Response installed, your site will have received a firewall rule today, March 23, 2023, protecting it against this vulnerability. If your site is running the free version of Wordfence, the rule will become available 30 days from now, on April 22, 2023.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. Please help make the WordPress community aware of this issue.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.