WooCommerce, maker of the popular ecommerce payments platform used by more than 220,000 live websites, reported discovering a vulnerability within a plug-in that could permit unauthorized admin access.
In a March 23 advisory to customers, WooCommerce said once it learned of the vulnerability in WooCommerce Payments, it immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP.
The vulnerability was reported by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing through WooCommerce’s HackerOne program. While a CVE was pending, it was rated a critical vulnerability with a CVSS score of 9.8.
On another front, once it learned of the vulnerability, WordFence developed a proof-of-concept (POC) and began writing and testing a firewall rule that was released March 23. In a blog post, WordFence said regardless of the version of Wordfence a company uses, they recommend updating to the latest version of the WooCommerce Payments plugin, which is 5.6.2
Securi researchers pointed out that ecommerce websites now have time to install the patched version 5.6.2 of the WooPayments Platform before full details of the exploit are released on April 6.
“Although what we know at this time is limited, what we do know is that the vulnerability allows for unauthenticated administrative takeover of websites,” wrote the Securi researchers. “Website administrators using this plug-in are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites such as any administrative actions performed from unrecognized IP addresses.”
Joseph Carson, chief security scientist and Advisory CISO at Delinea, said the recent critical vulnerability in the WooCommerce Payments plug-in is a great example of how a good vulnerability disclosure program can succeed and close vulnerabilities before they are abused and compromised.
“In recent years, bug bounty programs have brought white hat security researchers together with businesses to help discover and patch vulnerabilities before malicious hackers discover them,” said Carson. “This is a tough and very time challenging responsibility, but bit by bit, it’s making us all safer and protecting many businesses from becoming victims of cybercrime.”
Craig Burland, chief information security officer at Inversion6, pointed out that while on the surface, this appears like a win for the security teams. Looking deeper, Burland has questions about the secure development practices in play. He wonders how a vulnerability allowing unauthenticated attackers to impersonate anyone and eventually comprise the administrator account made it through testing.
“For plug-ins involving financial transactions, the level of testing must be rigorous — black box testing, white box testing, SAST and DAST,” said Burland. “Even simple enhancements can short-circuit security controls. For organizations mulling over investments into supply chain risk management, this is a good use case for being thorough about who and what you integrate into your online presence. Your customers will thank you for the diligence.”