WooCommerce Payments, a plugin that enables WooCommerce retailer house owners to simply accept credit score and debit card funds and handle transactions contained in the WordPress dashboard, has patched an Authentication Bypass and Privilege Escalation vulnerability with a 9.8 (Vital) CVSS rating. The plugin is lively on greater than 500,000 web sites.
Beau Lebens, WooCommerce’s Head of Engineering, revealed an advisory in regards to the vulnerability right now, which he mentioned “may allow unauthorized admin entry to impacted shops” if exploited. It was found by a safety researcher collaborating in WooCommerce’s HackerOne program.
WooCommerce labored with WordPress.org to push out a compelled replace for websites working WooCommerce Funds variations 4.8.0 by 5.6.1 to patched variations. Many retailer house owners have computerized updates turned off to make sure correct testing earlier than updating. Now that the vulnerability has been made public, it’s crucial that every one shops working model 4.8.0+ of the plugin replace manually as quickly as attainable. WooCommerce websites hosted on WordPress.com, Pressable, and WPVIP have already been patched.
Right now WooCommerce doesn’t have any proof of the vulnerability being exploited however the plugin’s engineers advocate checking for any surprising admin customers or posts addd to the location. The advisory contains additional particulars of what to do if you happen to consider your web site has been impacted. As a cautionary measure, WooCommerce has quickly disabled the WooPay beta program for the reason that vulnerability impacts this new checkout service they’ve been beta testing.