On March 22, 2023, a vulnerability was discovered within WooCommerce Payments that, if exploited, could permit unauthorized admin access to impacted stores. We immediately deactivated the impacted services and mitigated the issue for all websites hosted on WordPress.com, Pressable, and WPVIP.
The vulnerability was reported by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing for us through our HackerOne program. As soon as the vulnerability was reported, we began an investigation to ascertain whether any data had been exposed or if the vulnerability had been exploited. We currently have no evidence of the vulnerability being used outside of our own security testing program. We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible.
Because this vulnerability also had the potential to impact WooPay, a new payment checkout service in beta testing, we have temporarily disabled the beta program.
I have WooCommerce Payments installed. What actions do I need to take?
If your website is hosted on WordPress.com, your store is in the process of being updated or has already been updated to remove the vulnerability.
All websites with WooCommerce Payments 4.8.0 and higher installed and activated on their site, that are not hosted on WordPress.com and which have not updated to a patched version (see below), are still potentially vulnerable to this issue. Here’s how to make sure you have the latest version:
- From your WP Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.
- The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed.
- If a new version is available for download, you should see a notice guiding you to update WooCommerce Payments — please go ahead and do so.
Once you’re running a secure version, we recommend checking for any unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest:
- Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites.
- Rotating any API keys used on your site, including the WooCommerce API keys used on your site. Here’s how to update your WooCommerce API keys. For resetting other keys, please consult the documentation for those specific plugins or services.
How do I know if my version is up-to-date?
Below you can find the full list of patched versions of WooCommerce Payments. If you are running a version of WooCommerce Payments that is not on this list, please update to one of these versions immediately.
|Patched WooCommerce Payments Versions|
|5.7.0 and above|
Has my data been compromised?
At this time we have no evidence that the vulnerability was exploited beyond identifying it in our own security testing program. We will continue to investigate, and if we discover any new information we will update this post.
Which passwords do I need to change?
It’s unlikely that your password was compromised as it is hashed.
WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.
Note that our guidance on passwords assumes that your site is using the standard WordPress password management for users. Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.
If any of the Administrator users on your site might have reused the same passwords on multiple websites, we recommend you update those passwords in case their credentials have been compromised elsewhere.
We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration. Here’s how to update your WooCommerce API key. For resetting other keys, please consult the documentation for those specific plugins.
I’m a service provider, developer, or agency. Should I alert my WooCommerce merchants?
We encourage anyone who supports or develops for other WooCommerce merchants to share this information and to make sure that their clients who have WooCommerce Payments installed are using the most updated version of WooCommerce Payments.
I’m a merchant. Do I need to contact my customers?
We do not believe any store or customer data was compromised as a result of this vulnerability. If we have any reason to think this is not the case, we will contact you via email directly.
Is WooCommerce still safe to use?
Yes. Identifying a new vulnerability is uncommon, however it still can arise sometimes. When it does, we work diligently to track and patch any vulnerabilities as quickly as possible. And we strive to investigate, act, and communicate with our merchants and customers as quickly as possible.
I have other questions.
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.
March 27, 2023 UPDATE
Since posting about the WooCommerce Payments vulnerability last week, we have been in touch with a few customers who have reported potential exploits to their WooCommerce stores. We’re investigating each of those reports to better understand what has taken place, and we’re working directly with impacted customers to help them secure their shops.
We continue to encourage you to reach out and open a ticket with Woo’s support team if you believe your store was impacted.
20 replies on “Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know”
The advisory above uses the language of uncertainty, “could permit unauthorized admin access” and “potentially vulnerable to this issue”.
On my reading of the code changes, the vulnerability is absolutely trivial to exploit on all unpatched sites to gain full admin access, on every site that allows non-admin users to login. I don’t see the justification for any language of uncertainty; if your site allows users to login, you’re trivially vulnerable to complete take-over. Is this analysis correct?
LikeLiked by 5 people
Our number one priority during this incident has been to limit impacts to vulnerable stores. Once a patch is live, it’s a race against time to use every tool at our disposal to quickly get vulnerable stores updated before bad actors attempt exploits. We aimed to clearly communicate the severity of the issue and the need to update immediately, while avoiding sharing specifics that could even slightly aid or motivate the efforts of bad actors. This is certainly a balancing act, and we truly appreciate your feedback on this and the fact that you are taking this incident so seriously.
LikeLiked by 1 person
Could this vulnerability have given a bad actor the chance to infect a person’s computer with, say, the Trojan:Script “Wacatac’ – if they happened to be logged into WordPress and the storefront to update products during the same time period?
LikeLiked by 1 person
We’re not aware of any method of exploiting this vulnerability that would allow an attacker to install trojans or any other malware on a personal computer.
Thank you for the quick information. Currently I have version 5.6.2 and should be safe according to the table. How do I get the information turned off at wordpress? The constantly comes back and takes almost everything in “New products”.
Thank you for this report! Your site is protected from this vulnerability with WooCommerce Payments 5.6.2 installed. We’re aware of a WooCommerce issue (https://github.com/woocommerce/woocommerce/issues/36913) where some Inbox Notifications are not dismissing when they should. While our team prioritizes a fix for this, feel free to reach out to us at https://woocommerce.com/my-account/create-a-ticket/ and we can help look into the specifics of what you’re seeing on your site.
LikeLiked by 1 person
Hi, is it possible to remove completely the vulnerability alert? I’ve updated the plugin, but the alert is still displaying…
Thank you for this report! We’re aware of a WooCommerce issue (https://github.com/woocommerce/woocommerce/issues/36913) where some Inbox Notifications are not dismissing when they should. While our team prioritizes a fix for this, feel free to contact us at https://woocommerce.com/my-account/create-a-ticket/ and we can help look into the specifics of what you’re seeing on your site.
Has a CVE ID been issued for this yet? Given that HackerOne is a CNA and Automattic owns WPScan which is also a CNA, we didn’t want to issue a CVE ID since we didn’t originally discover this issue and it wasn’t reported to us, but we’ve been getting questions about whether or not a CVE ID has been assigned.
Also monitoring CVE on this issue
The reserved CVE ID for this issue is CVE-2023-28121 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28121). We’re working on adding public details to it.
LikeLiked by 1 person
Our store at bizprospex.com is also affected, even after removing the worpdress payments plugins, I am able to see unknown admin accounts being created.
also here same problem
I’m also affected, that’s a complete mess. Access to the unique admin account on website have been changed and I just received a notice from my VPS provider that said port 25 will be blocked on my whole server due to exceed amount of mails being sent (probably throught the hacked website we have).
I believe this was used for RCE on our website. Two admin accounts were created and then shortly after an upload script appeared in the root directory, from there they took the site entirely. There’s obviously an escalation chain here.
Perhaps a silly question but if I have 5.7.0, do I need to go back down to 5.6.2? I just went to edit my site, and my screen said “Fatal Error” so I panicked, went into recovery mode, saw the WooPayments notice, and before reading anything I absentmindedly hit “update.” I’m not even sure if that was what was causing the fatal error because I still have two errors on my home page saying something about “line 67 in woocommerce quick view pro.” But that’s neither here nor there – am I ok with 5.7.0?
Our installed version is 5.7.0 which is not listed in the patched versions table but it’s the latest one so I assume it is safe to use, right?
Correct, 5.7.0 contains the fix. I’ll update the post to help clarify, now that there are more recent versions available.
Also for us same problem, Dismiss button have no effect
Would this vulnerability allow someone to completely corrupt all website pages and the WordPress back end deeming it unusable. We have had this occur and have been told it is due to this plugin. Our online store took 75 hours to fix.