WooCommerce Payments vulnerability discovered and fixed: What you need to know

WooCommerce Payments vulnerability discovered and fixed: What you need to know

On March 22, 2023, a vulnerability was discovered within WooCommerce Payments that could have allowed unauthorized admin access to affected stores. WooCommerce Payments was immediately disabled. After that,, Pressable, and WPVIP were investigated to determine whether any data had been exposed or if the vulnerability had been exploited. Currently, there is no evidence of the vulnerability being used outside of their security testing program.

The vulnerability was reported by Michael Mazzolini from GoldNetwork. He was conducting white-hat testing for WooCommerce Payments through their HackerOne program. WooCommerce temporarily disabled the beta program for WooPay, a new payment checkout service, because the vulnerability could also have impacted it. A fix was developed, and Plugins Team worked to automatically update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions.

For websites that are not hosted on and which have not updated to a patched version, they are still potentially vulnerable. Website owners should check for the latest version by clicking on the Plugins menu item in their WP Admin dashboard and looking for WooCommerce Payments in the list of plugins. If a new version is available, the website owner should update it.

Once the website owner runs a secure version, they should check for any unexpected admin users or posts on their site. If they find any evidence of spontaneous activity, they should update the passwords for any Admin users on their site, especially if they reuse the same passwords on multiple websites. They should also rotate any API keys used on their site, including the WooCommerce API keys used.

WordPress user passwords are hashed using salts, making it unlikely that passwords were compromised. If the Administrator users on a website reuse the same passwords on multiple websites, the website owner should update those passwords in case their credentials have been compromised elsewhere.

In their notification, WooCommerce encouraged anyone who supports or develops for other WooCommerce merchants to share this information and ensure that their clients are using the most updated version of WooCommerce Payments. Currently, there is no evidence that any store or customer data were compromised due to this vulnerability. 

In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.

Reading next

How bad web design can kill an E-commerce project?
The Future of E-commerce With AI

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.