This security advisory is written about the critical vulnerability in WooCommerce Payments, which is a privilege escalation vulnerability. Patchstack users have received a virtual patch to protect their site against this vulnerability.
Update March 24th, 2023: WooCommerce has released a statement providing some information about this vulnerability. The critical vulnerability in WooCommerce payments was discovered and reported by Michael Mazzolini of GoldNetwork.
Woocommerce Payments is designed exclusively for WooCommerce stores and helps you to accept major credit and debit cards. It also allows customers to pay you directly without leaving your WooCommerce store, and view and manage transactions from one convenient place – your WordPress dashboard.
You will see payments, track cash flow into your bank account, manage refunds, and stay on top of disputes without the hassle of having to log into a separate payment processor.
The plugin has 600,000+ active installations on WordPress.
On March 23rd, 2023, Automattic released version 5.6.2 of the WooCommerce Payments plugin which fixes a critical privilege escalation bug that allows any unauthenticated user to escalate their privileges to any user they desire.
This could allow a malicious user to escalate their regular guest privileges to the privileges of an administrator and further exploit the website. As this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon.
Patchstack also released a virtual patch that fixes the vulnerability for any user who is running a site with the vulnerable WooCommerce Payments version installed.
What is virtual patching?Virtual patching is sending a rule (or a bunch of rules) that will mitigate a specific vulnerability in software without changing the vulnerable code itself. Managed web application firewalls such as Patchstack can ship virtual patches to the website automatically if vulnerable software is present.
Regardless of that, we still highly recommend updating your website to the latest version of WooCommerce Payments as soon as possible and always keeping your plugins up to date.
If you want to find more info about the vulnerability you can check the Patchstack vulnerability database and learn more about how to protect your WordPress site from our complete guide to WordPress security.