Critical Vulnerability in WooCommerce Payments

Published on 24 Mar 2023

WooCommerce has released security updates addressing a critical vulnerability in its WooCommerce Payments plugin. This plugin is used in online stores hosted on Pressable, WordPress and WordPress VIP. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

Successful exploitation of the authentication bypass and privilege escalation vulnerability could allow an unauthenticated attacker to impersonate an administrator and take over a website without user interaction.

The vulnerability affects WooCommerce Payments plugin versions 4.8.0 through 5.6.1.

Websites hosted on using vulnerable versions of WooCommerce Payments plugins should receive automatic updates with steps on patching the vulnerability.

Administrators of websites that are not hosted on and have WooCommerce Payments plugins installed should manually update the plugin using the following steps:

  1. From your WordPress Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.
  2. The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed:
    1. Patched Versions of WooCommerce Payments: Versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2.
  3. If a new version is available for download, you should see a notice guiding you on the process to update WooCommerce Payments.

More information is available here: