June 6, 2023

Researchers discovered a critical vulnerability in Woocommerce that could allow attackers to take over websites. The payment plugin itself has 500,000 active installations

Researchers pointed out that the vulnerability was likely in a file called class-platform-checkout-session.php, which seems to have been entirely removed in the patched version. It’s therefore possible for skilled hackers to figure out the vulnerability and to exploit.


The WooCommerce team released updates, and attackers could reverse-engineer the patch. The vulnerability affects all WooCommerce Payments versions since 4.8.0, which was released at the end of September. Automattic released the following patched versions: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

The WooCommerce developers announced that sites hosted on WordPress.com, Pressable and WPVIP managed WordPress hosting services have been automatically updated. All other websites should apply the update for their respective version immediately if they don’t have automatic updates enabled.

Once updated, administrators should check their websites for any unexpected admin users or posts. If suspicious activity is detected, the WooCommerce developers recommend changing the passwords for all admin users on the site, as well as any API keys for WooCommerce and payment gateways.


WooCommerce said it doesn’t believe this vulnerability was used to compromise store or customer data, but merchants might want to monitor how this incident develops. The vulnerability was reported privately through Automattic’s bug bounty program on HackerOne.

Leave a Reply

%d bloggers like this: