Vulnerable code has been discovered in the payment solution plugin WooCommerce for the WordPress content management system (CMS) that could allow an unauthenticated attacker to gain administrative privileges and take over a website.
The findings come from WordPress security experts at Wordfence, who described the critical authentication bypass in a blog post published on Thursday.
The Wordfence blog post, written by senior threat researcher Ram Gall, explains how the team found the vulnerability after analyzing version 5.6.2 of the WooCommerce plugin on the same day it was released.
“After reviewing the update, we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required,” Gall wrote.
The researcher also clarified that the changelog entry for the 5.6.2 plugin only showed “Security update” without mentioning details of the critical flaw it patched.
“Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately,” Gall warned. “WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.
Gall also clarified that the Wordfence team is not aware of whether this flaw was discovered internally by Automattic (the developer behind WooCommerce) or reported by an external researcher. Wordfence has not yet found instances of the vulnerability being exploited in the wild, but that may change in the near future.
“We expect to see large-scale attacks targeting this vulnerability once a proof of concept becomes available to attackers,” Gall added.
The flaw comes months after Sucuri security researchers spotted a malware campaign designed to increase the search engine rankings of over 15,000 spam WordPress and other sites.