A serious flaw has been found in WooCommerce, a popular plug-in for managing online businesses that are built on the WordPress platform. This flaw might enable cybercriminals to take control of websites. Nevertheless, the WooCommerce team has provided fixes, and attackers are able to reverse-engineer the patch. Technical specifics concerning the vulnerability have not yet been disclosed. There are presently approximately 500,000 active installations of the WooCommerce Payments plug-in, which is the component that includes the vulnerability. The creators of WooCommerce have stated that managed WordPress hosting providers such as WordPress.com, Pressable, and WPVIP have automatically updated websites that are hosted on their platforms. But, if the other websites don’t already have automatic updates turned on, the administrators of those websites should immediately apply the update that is specific to their version.
Any versions of WooCommerce Payments that were created after 4.8.0, which was published at the end of September, are susceptible to the vulnerability. The following updated versions were made available by Automattic: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.
As soon as a patched version of WooCommerce has been installed, administrators of websites using WooCommerce should verify their sites for any unusual admin users or postings. The creators of WooCommerce suggest that, in the event that suspicious behavior is discovered on a website, the passwords of all administrative users on the site be changed, in addition to any API credentials for WooCommerce and payment gateways.
According to the creators of