How a Critical Flaw in WooCommerce can be Exploited to Compromise WordPress Websites
Popular e-commerce plug-in, WooCommerce, used for WordPress-based online stores, has been found to contain a critical vulnerability that could allow attackers to take over websites.
While technical details about the vulnerability have not been published, the WooCommerce team has released updates, and attackers could reverse-engineer the patch. The vulnerability allows for unauthenticated administrative takeover of websites. Website administrators using this plugin are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites such as any administrative actions performed from unrecognized IP addresses.
WooCommerce is an open-source e-commerce platform built on top of WordPress that is owned and maintained by Automattic, the company that is also behind WordPress itself. The WooCommerce Payments plug-in, which contains the vulnerability, currently has over 500,000 active installations.
The WooCommerce developers announced that sites hosted on WordPress.com, Pressable, and WPVIP – managed WordPress hosting services – have been automatically updated. However, all other websites should apply the update for their respective version immediately if they don’t have automatic updates enabled. The vulnerability affects all WooCommerce Payments versions since 4.8.0, which was released at the end of September. Automattic released the following patched versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.
Once WooCommerce has been updated to a patched version, administrators should check their websites for any unexpected admin users or posts. If suspicious activity is detected, the WooCommerce developers recommend changing the passwords for all admin users on the site, as well as any API keys for WooCommerce and payment gateways.
While it’s worth noting that WordPress user passwords are hashed using salts, which makes it difficult to crack, other plug-ins might use credentials, tokens, and API keys that are stored in the database without hashing. Admins should review which secrets they potentially have in their database and rotate them all.
WooCommerce said it doesn’t believe this vulnerability was used to compromise store or customer data, but merchants might want to monitor how this incident develops. The vulnerability was reported privately through Automattic’s bug bounty program on HackerOne. While the technical details have not yet been disclosed, they will likely be in two weeks as per the disclosure policy.