PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover
The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2 with a changelog entry marked simply “Security update.”
After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.
We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium, Wordfence Care, and Wordfence Response customers.
Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.
Description: Authentication Bypass and Privilege Escalation
Affected Plugin: WooCommerce Payments
Plugin Slug: woocommerce-payments
Plugin Developer: Automattic