WooCommerce Payments, a plugin that allows WooCommerce store owners to accept credit and debit card payments and manage transactions inside the WordPress dashboard, has patched an Authentication Bypass and Privilege Escalation vulnerability with a 9.8 (Critical) CVSS score. The plugin is active on more than 500,000 websites.
Beau Lebens, WooCommerce’s Head of Engineering, published an advisory about the vulnerability today, which he said “could permit unauthorized admin access to impacted stores” if exploited. It was discovered by a security researcher participating in WooCommerce’s HackerOne program.
WooCommerce worked with WordPress.org to push out a forced update for sites running WooCommerce Payments versions 4.8.0 through 5.6.1 to patched versions. Many store owners have automatic updates turned off to ensure proper testing before updating. Now that the vulnerability has been made public, it is imperative that all stores running version 4.8.0+ of the plugin update manually as soon as possible. WooCommerce sites hosted on WordPress.com, Pressable, and WPVIP have already been patched.
At this time WooCommerce does not have any evidence of the vulnerability being exploited but the plugin’s engineers recommend checking for any unexpected admin users or posts addd to the site. The advisory includes further details of what to do if you believe your site has been impacted. As a cautionary measure, WooCommerce has temporarily disabled the WooPay beta program since the vulnerability impacts this new checkout service they have been beta testing.
Reading the code changes, the vulnerability is “any logged-in user can trivially (no coding even required – a beginner armed with a simple web browser extension can do it in a few seconds) change his logged-in user ID to that of any other user, i.e. can log in as any other user (including admins)”.