Important flaw in WooCommerce can be utilized to compromise WordPress web sites

WooCommerce, a preferred plug-in for working WordPress-based on-line shops, incorporates a essential vulnerability that would enable attackers to take over web sites. Technical particulars in regards to the vulnerability haven’t been revealed but, however the WooCommerce staff launched updates and attackers may reverse-engineer the patch.

“Though what we all know right now is restricted, what we do know is that the vulnerability permits for unauthenticated administrative takeover of internet sites,” researchers from internet safety agency Sucuri stated in a blog post. “Web site directors utilizing this plugin are suggested to problem the patch as quickly as potential and verify for any suspicious exercise inside their WordPress web sites corresponding to any administrative actions carried out from unrecognized IP addresses.”

WooCommerce is an open-source e-commerce platform constructed on prime of WordPress that is owned and maintained by Automattic, the corporate that is additionally behind WordPress itself. The WooCommerce Payments plug-in, which incorporates the vulnerability, at the moment has over 500,000 lively installations.

The WooCommerce builders announced that websites hosted on, Pressable and WPVIP — managed WordPress internet hosting providers — have been mechanically up to date. Nevertheless, all different web sites ought to apply the replace for his or her respective model instantly, if they do not have automated updates enabled.

The vulnerability impacts all WooCommerce Funds variations since 4.8.0, which was launched on the finish of September. Automattic launched the next patched variations: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.

As soon as WooCommerce has been up to date to a patched model, directors ought to verify their web sites for any surprising admin customers or posts. If suspicious exercise is detected, the WooCommerce builders advocate altering the passwords for all admin customers on the positioning, in addition to any API keys for WooCommerce and fee gateways.

“WordPress consumer passwords are hashed utilizing salts, which suggests the ensuing hash worth could be very tough to crack,” the WooCommerce builders stated. “This salted hash method protects your password as an admin consumer, and likewise the passwords of some other customers in your web site, together with clients. Whereas it’s potential the hashed model of your password saved in your database might have been accessed by means of this vulnerability, the hash worth needs to be indiscernible and nonetheless defend your passwords from unauthorized use.”

Nevertheless, it is price noting that this solely applies to passwords hashes saved utilizing the usual WordPress authentication mechanism. Different plug-ins may use credentials, tokens and API keys which are saved within the database with out hashing. Admins ought to assessment which secrets and techniques they probably have of their database and rotate all of them.

“You may as well take the extra measure of adjusting the salts inside your wp-config.php file if you wish to take additional precautions,” the Sucuri researchers stated.

No signal that WooCommerce vulnerability has been exploited

WooCommerce stated it would not imagine this vulnerability was used to compromise retailer or buyer knowledge, however retailers may need to monitor how this incident develops. The vulnerability was reported privately by means of Automattic’s bug bounty program on HackerOne. Whereas the technical particulars haven’t but been disclosed, they may possible be in two weeks as per the disclosure coverage.

Nevertheless, the Sucuri researchers already identified that the vulnerability was possible in a file referred to as class-platform-checkout-session.php, which appears to have been solely eliminated within the patched model. It is due to this fact potential for expert hackers to determine the vulnerability and how you can exploit it on their very own since they know the place to look.

WordPress web sites have traditionally been a horny goal for attackers, with many vulnerabilities exploited over time within the platform itself, in addition to in its many third-party plug-ins and themes.

Copyright © 2023 IDG Communications, Inc.