Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.
The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.
Put differently, the issue could permit an “unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required,” WordPress security company Wordfence said.
The vulnerability appears to reside in a PHP file called “class-platform-checkout-session.php,” Sucuri researcher Ben Martin noted.
Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork.
WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.
Furthermore, the maintainers of the e-commerce plugin noted that it’s disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.
There is no evidence that the vulnerability has been actively exploited to date, but it’s expected to be weaponized on a large scale once a proof-of-concept becomes available, Wordfence researcher Ram Gall cautioned.
Besides updating to the latest version, users are recommended to check for newly added admin users, and if so, change all administrator passwords and rotate payment gateway and WooCommerce API keys.