The vulnerability could allow unauthenticated administrative takeover of websites. WooCommerce has released an update. Credit: DrDrawer / Shutterstock WooCommerce, a popular plug-in for running WordPress-based online stores, contains a critical vulnerability that could allow attackers to take over websites. Technical details about the vulnerability have not been published yet, but the WooCommerce team released updates and attackers could reverse-engineer the patch.“Although what we know at this time is limited, what we do know is that the vulnerability allows for unauthenticated administrative takeover of websites,” researchers from web security firm Sucuri said in a blog post. “Website administrators using this plugin are advised to issue the patch as soon as possible and check for any suspicious activity within their WordPress websites such as any administrative actions performed from unrecognized IP addresses.”WooCommerce is an open-source e-commerce platform built on top of WordPress that’s owned and maintained by Automattic, the company that’s also behind WordPress itself. The WooCommerce Payments plug-in, which contains the vulnerability, currently has over 500,000 active installations. The WooCommerce developers announced that sites hosted on WordPress.com, Pressable and WPVIP — managed WordPress hosting services — have been automatically updated. However, all other websites should apply the update for their respective version immediately, if they don’t have automatic updates enabled. The vulnerability affects all WooCommerce Payments versions since 4.8.0, which was released at the end of September. Automattic released the following patched versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.Once WooCommerce has been updated to a patched version, administrators should check their websites for any unexpected admin users or posts. If suspicious activity is detected, the WooCommerce developers recommend changing the passwords for all admin users on the site, as well as any API keys for WooCommerce and payment gateways. “WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack,” the WooCommerce developers said. “This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.”However, it’s worth noting that this only applies to passwords hashes stored using the standard WordPress authentication mechanism. Other plug-ins might use credentials, tokens and API keys that are stored in the database without hashing. Admins should review which secrets they potentially have in their database and rotate them all.“You can also take the additional measure of changing the salts within your wp-config.php file if you want to take extra precautions,” the Sucuri researchers said.No sign that WooCommerce vulnerability has been exploitedWooCommerce said it doesn’t believe this vulnerability was used to compromise store or customer data, but merchants might want to monitor how this incident develops. The vulnerability was reported privately through Automattic’s bug bounty program on HackerOne. While the technical details have not yet been disclosed, they will likely be in two weeks as per the disclosure policy.However, the Sucuri researchers already pointed out that the vulnerability was likely in a file called class-platform-checkout-session.php, which seems to have been entirely removed in the patched version. It’s therefore possible for skilled hackers to figure out the vulnerability and how to exploit it on their own since they know where to look.WordPress websites have historically been an attractive target for attackers, with many vulnerabilities exploited over the years in the platform itself, as well as in its many third-party plug-ins and themes. Related content news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe