2 min

To ensure the security of online stores, Automattic, the company that manages WordPress, has announced the forced installation of a security update on hundreds of thousands of websites that use WooCommerce Payments, one of the most popular online store payment gateways.

This update was released to fix a critical vulnerability discovered by Michael Mazzolini of GoldNetwork, that enables unauthenticated attackers to gain admin access to vulnerable online stores. The WooCommerce team has since patched the bug in security updates issued recently.

According to WordFence, this vulnerability can be exploited by hackers to impersonate an administrator and take over an online store entirely without user interaction or social engineering. This bug is expected to be mass-exploited in no time, according to Patchstack.

Also read: WordPress’s parent company acquires ActivityPub plugin

WooCommerce reported no evidence of exploitation in the wild

“We immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP,” said Beau Lebens, Head of Engineering at WooCommerce. Vulnerable WooCommerce online shops hosted on WordPress.com are in the process of being updated, and those already updated to patch the vulnerability.

Admins who host a WordPress installation on their servers will have to update WooCommerce manually using the following procedure: From the WP Admin dashboard, click the Plugins menu item, and look for WooCommerce Payments in the list of plugins.

A notice guiding the admin to update WooCommerce Payments will be displayed if a new version is available.

Due diligence is required

After securing their stores, admins are advised to check for newly added admin users and suspicious posts on their websites. If any evidence of unexpected activity is found, admins should immediately update all admin passwords and rotate Payment Gateway and WooCommerce API keys.

Also, they should change any private or secret data stored in the WordPress/WooCommerce database. The WooCommerce Payments plugin has over 500,000 active installations and provides store customers with easy-to-configure and manage payment checkout.

Tip: WordPress hit with two critical-severity vulnerabilities