Critical Bug in WooCommerce Payments Exposes Online Stores to Hackers
Critical vulnerability discovered in WooCommerce Payments on WordPress
Automattic, the company responsible for the WordPress content management system, has issued a mandatory security update to patch a critical vulnerability in WooCommerce Payments, a popular online payment system. The flaw, reported by Michael Mazzolini of GoldNetwork, affects versions 4.8.0 and higher and could allow unauthenticated attackers to gain admin access to vulnerable online stores. This could result in the complete takeover of a website without any user interaction. Experts warn that since the vulnerability requires no authentication, it is likely to be exploited on a mass scale soon.
The WooCommerce team has issued a security update that patches the vulnerability. According to Beau Lebens, Head of Engineering at WooCommerce, the team has found no evidence of the vulnerability being targeted or exploited in the wild, and no store or customer data was compromised. However, Automattic has initiated the security update on hundreds of thousands of websites, including those hosted on WordPress.com, Pressable, and WPVIP, to ensure their safety.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Vulnerable WooCommerce online shops being updated
Admins who host a WordPress installation on their own servers will have to manually update their WooCommerce Payments using the provided procedure. Meanwhile, admins of vulnerable WooCommerce online stores hosted on WordPress.com are already in the process of being updated or have already been updated. The patch fixes versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
After securing their stores, admins are advised to check for any suspicious activity, including newly added admin users and suspicious posts. In case of any unexpected activity, admins should immediately update their admin passwords and rotate Payment Gateway and WooCommerce API keys. They are also encouraged to change any private or secret data stored in their WordPress/WooCommerce database, including API keys, public/private keys for payment gateways, and more, depending on their particular store configuration.
Trending: A primer on OS Command Injection Attacks
Admins advised to check for signs of compromise after WooCommerce patch
The WooCommerce Payments vulnerability could pose a significant threat to online stores, which is why it is essential to take immediate action to protect against it. If you support or develop for other WooCommerce merchants, be sure to share this information and ensure that they are using the latest version of WooCommerce Payments to keep their stores secure.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
