WordPress is force installing a security update on hundreds of thousands of websites running the highly popular WooCommerce Payments for online stores.

Today, “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2 with a changelog entry marked simply “Security update.”

Vulnerability Information

Description: Authentication Bypass and Privilege Escalation
Affected Plugin: WooCommerce Payments
Plugin Slug: woocommerce-payments
Plugin Developer: Automattic
Affected Versions: <= 5.6.1
CVE ID: N/A
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.6.2

The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately, it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account.

Buy Me A Coffee

It is unknown whether this vulnerability was discovered internally by Automattic or reported by an external researcher, and have not yet determined whether it is actively being exploited in the wild.

Vulnerable WooCommerce online shops hosted on WordPress.com are in the process of being updated or have already been updated to patch the vulnerability.

“We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible,” Lebens added.

READ
Google Issues Urgent Chrome Update to Patch Third Zero-Day Exploit in a Week

Admins who host a WordPress installation on their own servers will have to manually update WooCommerce using the following procedure:

  1. From your WP Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.
  2. The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed.
  3. If a new version is available for download, you should see a notice guiding you to update WooCommerce Payments — please go ahead and do so.

Patched WooCommerce Payments versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.