On March 22, 2023, a vulnerability was discovered within WooCommerce Payments that could have allowed unauthorized admin access to affected stores. WooCommerce Payments was immediately disabled. After that, WordPress.com, Pressable, and WPVIP were investigated to determine whether any data had been exposed or if the vulnerability had been exploited. Currently, there is no evidence of the vulnerability being used outside of their security testing program.
The vulnerability was reported by Michael Mazzolini from GoldNetwork. He was conducting white-hat testing for WooCommerce Payments through their HackerOne program. WooCommerce temporarily disabled the beta program for WooPay, a new payment checkout service, because the vulnerability could also have impacted it. A fix was developed, and WordPress.org Plugins Team worked to automatically update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions.
For websites that are not hosted on WordPress.com and which have not updated to a patched version, they are still potentially vulnerable. Website owners should check for the latest version by clicking on the Plugins menu item in their WP Admin dashboard and looking for WooCommerce Payments in the list of plugins. If a new version is available, the website owner should update it.
Once the website owner runs a secure version, they should check for any unexpected admin users or posts on their site. If they find any evidence of spontaneous activity, they should update the passwords for any Admin users on their site, especially if they reuse the same passwords on multiple websites. They should also rotate any API keys used on their site, including the WooCommerce API keys used.
WordPress user passwords are hashed using salts, making it unlikely that passwords were compromised. If the Administrator users on a website reuse the same passwords on multiple websites, the website owner should update those passwords in case their credentials have been compromised elsewhere.
In their notification, WooCommerce encouraged anyone who supports or develops for other WooCommerce merchants to share this information and ensure that their clients are using the most updated version of WooCommerce Payments. Currently, there is no evidence that any store or customer data were compromised due to this vulnerability.