Published on 24 Mar 2023 | Updated on 24 Mar 2023
WooCommerce has released security updates addressing a critical vulnerability in its WooCommerce Payments plugin. This plugin is used in online stores hosted on Pressable, WordPress and WordPress VIP. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
Successful exploitation of the authentication bypass and privilege escalation vulnerability could allow an unauthenticated attacker to impersonate an administrator and take over a website without user interaction.
The vulnerability affects WooCommerce Payments plugin versions 4.8.0 through 5.6.1.
Websites hosted on WordPress.com using vulnerable versions of WooCommerce Payments plugins should receive automatic updates with steps on patching the vulnerability.
Administrators of websites that are not hosted on WordPress.com and have WooCommerce Payments plugins installed should manually update the plugin using the following steps:
More information is available here:
https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/