Critical Vulnerability Discovered in WooCommerce Payments
2023-3-24 11:18:20 Author: blog.sucuri.net(查看原文) 阅读量:29 收藏

On March 22nd, 2023 a critical vulnerability was discovered within the WooCommerce Payments plugin – an extremely popular eCommerce payment plugin for WordPress with over half a million active installations. Thankfully the vulnerability was discovered by white hat security researcher Michael Mazzolini and responsibly disclosed through HackerOne, giving websites time to install the patched version 5.6.2 before full details of the exploit are released on April 6th.

Although what we know at this time is limited, what we do know is that the vulnerability allows for unauthenticated administrative takeover of websites. Website administrators using this plugin are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites such as any administrative actions performed from unrecognized IP addresses.

What we know

The vulnerability appears to be within the following file:

./wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php

According to the plugin change history it appears that the file and its functionality was simply removed altogether:

Automattic – the company behind WordPress and WooCommerce – is issuing automatic/forced updates of all websites using this plugin within their wordpress.com websites.

What should I do?

As per the official WooCommerce press release, if you operate a WooCommerce / WordPress website with this plugin you are advised to take the following actions:

  1. Update woocommerce-payments to version 5.6.2 immediately
  2. Change all administrator passwords
  3. Rotate your payment gateway and WooCommerce API keys

It’s unlikely that the passwords themselves were compromised, however if you reuse passwords across multiple websites it would be prudent to get those changed as well just in case. You can also take the additional measure of changing the salts within your wp-config.php file if you want to take extra precautions.

WooCommerce itself is – of course – still safe to use. Unfortunately vulnerabilities like this do pop up from time to time and are a great reminder of why automatic updates are prudent to have enabled.

The WooCommerce security team fortunately has acted very quickly to address this issue, so hats off to them.

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions


文章来源: https://blog.sucuri.net/2023/03/critical-vulnerability-discovered-in-woocommerce-payments.html
如有侵权请联系:admin#unsafe.sh