WooCommerce, a popular plug-in for running WordPress-based online stores, contains a critical vulnerability that could allow attackers to take over websites. Technical details about the vulnerability have not been published yet, but the WooCommerce team released updates and attackers could reverse-engineer the patch.
"Although what we know at this time is limited, what we do know is that the vulnerability allows for unauthenticated administrative takeover of websites," researchers from web security firm Sucuri said in a blog post. "Website administrators using this plugin are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites such as any administrative actions performed from unrecognised IP addresses."
WooCommerce is an open-source e-commerce platform built on top of WordPress that's owned and maintained by Automattic, the company that's also behind WordPress itself. The WooCommerce Payments plug-in, which contains the vulnerability, currently has over 500,000 active installations.
The WooCommerce developers announced that sites hosted on WordPress.com, Pressable and WPVIP -- managed WordPress hosting services -- have been automatically updated. However, all other websites should apply the update for their respective version immediately, if they don't have automatic updates enabled.
The vulnerability affects all WooCommerce Payments versions since 4.8.0, which was released at the end of September. Automattic released the following patched versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.
Once WooCommerce has been updated to a patched version, administrators should check their websites for any unexpected admin users or posts. If suspicious activity is detected, the WooCommerce developers recommend changing the passwords for all admin users on the site, as well as any API keys for WooCommerce and payment gateways.
"WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack," the WooCommerce developers said. "This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorised use."
However, it's worth noting that this only applies to passwords hashes stored using the standard WordPress authentication mechanism. Other plug-ins might use credentials, tokens and API keys that are stored in the database without hashing. Admins should review which secrets they potentially have in their database and rotate them all.
"You can also take the additional measure of changing the salts within your wp-config.php file if you want to take extra precautions," the Sucuri researchers said.
No sign that WooCommerce vulnerability has been exploited
WooCommerce said it doesn't believe this vulnerability was used to compromise store or customer data, but merchants might want to monitor how this incident develops. The vulnerability was reported privately through Automattic's bug bounty program on HackerOne. While the technical details have not yet been disclosed, they will likely be in two weeks as per the disclosure policy.
However, the Sucuri researchers already pointed out that the vulnerability was likely in a file called class-platform-checkout-session.php, which seems to have been entirely removed in the patched version. It's therefore possible for skilled hackers to figure out the vulnerability and how to exploit it on their own since they know where to look.
WordPress websites have historically been an attractive target for attackers, with many vulnerabilities exploited over the years in the platform itself, as well as in its many third-party plug-ins and themes.