Critical Vulnerability in WooCommerce Payments

Published 23 March 2023
Updated 23 November 2023
Dave Jong
CTO at Patchstack
Table of Contents

This security advisory is written about the critical vulnerability in WooCommerce Payments, which is a privilege escalation vulnerability. Patchstack users have received a vPatch to protect their site against this vulnerability.

Update March 24th, 2023: WooCommerce has released a statement providing some information about this vulnerability. The critical vulnerability in WooCommerce payments was discovered and reported by Michael Mazzolini of GoldNetwork.

About Woocommerce Payments

Woocommerce Payments is designed exclusively for WooCommerce stores and helps you to accept major credit and debit cards. It also allows customers to pay you directly without leaving your WooCommerce store, and view and manage transactions from one convenient place – your WordPress dashboard.

WooCommerce payments vulnerability

You will see payments, track cash flow into your bank account, manage refunds, and stay on top of disputes without the hassle of having to log into a separate payment processor.

The plugin has 600,000+ active installations on WordPress.

WooCommerce payments vulnerability information

On March 23rd, 2023, Automattic released version 5.6.2 of the WooCommerce Payments plugin which fixes a critical privilege escalation bug that allows any unauthenticated user to escalate their privileges to any user they desire.

This could allow a malicious user to escalate their regular guest privileges to the privileges of an administrator and further exploit the website. As this vulnerability requires no authentication, it is very likely it will be mass-exploited very soon.

Patchstack also released a vPatch that fixes the vulnerability for any user who is running a site with the vulnerable WooCommerce Payments version installed.

What is vPatching?

vPatching is sending a rule (or a bunch of rules) that will mitigate a specific vulnerability in software without changing the vulnerable code itself. Managed web application firewalls such as Patchstack can ship vPatches to the website automatically if vulnerable software is present.

Regardless of that, we still highly recommend updating your website to the latest version of WooCommerce Payments as soon as possible and always keeping your plugins up to date.

If you want to find more info about the vulnerability you can check the Patchstack vulnerability database and learn more about how to protect your WordPress site from our complete guide to WordPress security.

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.