Serious WooCommerce Vulnerability Allows Takeover of WordPress Websites

Serious WooCommerce Vulnerability Allows Takeover of WordPress Websites

A serious flaw has been found in WooCommerce, a popular plugin for managing online businesses that is built on the WordPress platform. This flaw could allow cybercriminals to take control of websites. However, the WooCommerce team has provided fixes and attackers can reverse engineer the patch. Technical details related to the vulnerability have not yet been disclosed. There are currently approximately 500,000 active installations of the WooCommerce Payments plugin, which is the component that contains the vulnerability. The creators of WooCommerce have stated that managed WordPress hosting providers such as, Pressable, and WPVIP have automatically updated websites hosted on their platforms. But, if the other websites do not already have automatic updates turned on, the administrators of those websites should immediately apply the specific update for their version.

Any version of WooCommerce Payments built after 4.8.0, which was released at the end of September, is susceptible to the vulnerability. Automattic made the following updated versions available: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

As soon as a patched version of WooCommerce has been installed, administrators of websites using WooCommerce should check their sites for admin users or unusual posts. The creators of WooCommerce suggest that in case suspicious behavior is discovered on a website, the passwords of all administrative users of the site should be changed, as well as the API credentials for WooCommerce and payment gateways.

According to the creators of WooCommerce, “WordPress user passwords are scrambled with salts, which means the final hash value is incredibly difficult to crack.” “This solution uses a salted hash to protect not only your password as an administrative user, but also the credentials of all other users of your website, including customers. While it is conceivable that an attacker took advantage of this vulnerability to acquire a scrambled version of your password that was stored in their database, the hash value itself should be uncrackable in order for your passwords to remain secure and not be lost. may use in an unauthorized manner. .” However, it’s important to note that this only applies to password hashes that are saved with the default authentication method that comes with WordPress. Some other plugins may use the database to store credentials, tokens, and API keys without having to code them first. Administrators need to examine what potentially sensitive information is stored in their databases and rotate all of that information.

WooCommerce has said that it does not believe this vulnerability was used to compromise store or customer data. However, traders may want to see how this event develops as it could affect their business. The issue was reported confidentially through the bug bounty program that Automattic maintains at HackerOne. Even if the technical details have not yet been made public, the disclosure policy states that this should happen within the next two weeks. However, Sucuri experts have previously pointed out that the vulnerability was likely in a file called class-platform-checkout-session.php, which appears to have been completely removed from the patched version. Because these competent hackers already know where to look.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent News

Editor's Pick