PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover
This post has been updated with additional information that has become available since its publication
The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2 with a changelog entry marked simply “Security update.”
After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.
We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium, Wordfence Care, and Wordfence Response customers.
Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.
Affected Plugin: WooCommerce Payments
Plugin Slug: woocommerce-payments
Plugin Developer: Automattic
Affected Versions: 4.8.0 – 5.6.1
CVE ID: Pending Information
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.6.2
Researcher: Michael Mazzolini
The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account. We are withholding additional details at this time to give users time to update.
According to WooCommerce, the vulnerability was disclosed by Michael Mazzolini of GoldNetwork via their HackerOne program.
We expect to see large-scale attacks targeting this vulnerability once a proof of concept becomes available to attackers.
In today’s PSA we are alerting our user base to a critical-severity vulnerability in WooCommerce Payments, a plugin installed on over 500,000 sites. This vulnerability allows unauthenticated attackers to completely take over a vulnerable site, and we expect to see mass exploitation in the near future. We recommend that all users update to the latest version available, which is 5.6.2 at the time of this writing.
If your site has Wordfence Premium, Wordfence Care, or Wordfence Response installed, your site will have received a firewall rule today, March 23, 2023, protecting it against this vulnerability. If your site is running the free version of Wordfence, the rule will become available 30 days from now, on April 22, 2023.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. Please help make the WordPress community aware of this issue.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.