What Is The Vulnerability Of WooCommerce Payments

What Is The Vulnerability Of WooCommerce Payments

Avatar photoByFrank H

Have you ever wondered how safe it is to use WooCommerce payments on your WordPress site? If you are like me, you probably want to make sure that your online store is secure and that your customers’ data is protected. But did you know that there is a critical vulnerability in the WooCommerce payments plugin that could allow hackers to take over your site and steal your information?

I didn’t know either until I read about it on a security blog. It turns out that this vulnerability, which has a code name of CVE-2023-28121, affects versions 4.8.0 to 5.6.1 of the plugin. It lets anyone who knows how to exploit it bypass the authentication process and pretend to be an admin on your site. That means they can do anything they want, like changing your settings, installing malware, or accessing your payment details.

That sounds scary, right? It’s kinda like leaving your front door unlocked and letting strangers walk into your house and mess with your stuff. You wouldn’t want that to happen, would you? Well, neither do I. That’s why I decided to learn more about this vulnerability and how to fix it. And I’m going to share what I learned with you in this blog post.

What is WooCommerce payments and why it is popular among WordPress users

WooCommerce payments is a payment solution that lets you accept and manage payments on your WordPress site without using any third-party plugins or services. It is the official payment gateway for WooCommerce, the most popular e-commerce plugin for WordPress. WooCommerce payments is powered by Stripe, a leading online payment processor that handles billions of dollars in transactions every year.

With WooCommerce payments, you can offer your customers a seamless and secure checkout experience. You can accept credit cards, debit cards, Apple Pay, Google Pay, and other popular payment methods. You can also enable local payment methods and currencies for different regions, making it easier for international buyers to shop on your site.

One of the best features of WooCommerce payments is that you can manage everything from your WordPress dashboard. You don’t need to log in to another website or platform to track your payments, deposits, disputes, refunds, or subscriptions. You can also view detailed reports and analytics to monitor your store’s performance and revenue.

WooCommerce payments is a pay-as-you-go service, which means you only pay a small fee per transaction. There are no monthly fees, setup fees, or hidden charges. The fee varies depending on the payment method, currency, and country of origin. You can check the current pricing here.

WooCommerce payments is available in 30 countries and supports 135+ currencies. You can check if your country is supported here. To use WooCommerce payments, you need to have a WordPress site with WooCommerce installed and activated. You also need to create an account with WooCommerce payments and connect it to your site.

What Vulnerabilities Does WooCommerce payment plugin Have

WooCommerce payments is not immune to security flaws that could compromise your site and your customers’ data. In fact, there have been several vulnerabilities in WooCommerce payments that have been discovered and exploited by hackers until now. In this section, we will review some of the most critical and recent ones, and how they could affect your site if left unpatched.

The most severe vulnerability in WooCommerce payments was reported in March 2023 by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing for WooCommerce through their HackerOne program. The vulnerability, which has a code name of CVE-2023-28121, affects versions 4.8.0 to 5.6.1 of the plugin. It lets anyone who knows how to exploit it bypass the authentication process and pretend to be an admin on your site. That means they can do anything they want, like changing your settings, installing malware, or accessing your payment details.

This vulnerability was patched by WooCommerce in version 5.6.2 of the plugin, and an auto-update was rolled out to WordPress sites running WooCommerce payments 4.8.0 through 5.6.1. However, not all sites were updated automatically, and some sites remained vulnerable to this issue. Attackers started exploiting this vulnerability in a massive targeted campaign that peaked at 1.3 million attacks against 157,000 sites on July 15, 2023. The attacks came from a handful of IP addresses that were shared by Wordfence, a security firm of WordPress.

Another vulnerability in WooCommerce payments was discovered in June 2023 by researchers from Sucuri Security. The vulnerability affects the WooCommerce Stripe payment gateway plugin, which is a popular extension for WooCommerce payments that allows online stores to accept payments through Stripe, a payment processor that supports credit cards, debit cards, and digital wallets like Apple Pay and Google Pay. The vulnerability allows an attacker to steal customer personally identifiable information (PII) from stores using the plugin.

The vulnerability is caused by a lack of proper validation and sanitization of user input in the plugin’s code. An attacker can exploit this vulnerability by sending a specially crafted request to the plugin’s API endpoint with malicious parameters. This request can trigger a SQL injection attack that can access the WordPress database and retrieve sensitive information such as customer names, email addresses, phone numbers, billing addresses, shipping addresses, and order details.

This vulnerability was patched by WooCommerce in version 5.6.0 of the plugin, which was released on June 14, 2023. Users of the plugin are advised to update to the latest version as soon as possible to prevent potential data breaches.

Besides CVE-2023-28121, there are other vulnerabilities in WooCommerce payments that have been discovered until now. Some of them are:

  • The WooCommerce Stripe payment gateway plugin was discovered to have a vulnerability that allows an attacker to steal customer personally identifiable information (PII) from stores using the plugin. The vulnerability affects versions 5.5.0 and lower of the plugin, which is installed on over 900,000 sites. The vulnerability allows an attacker to perform a SQL injection attack that can access the WordPress database and retrieve sensitive information such as customer names, email addresses, phone numbers, billing addresses, shipping addresses, and order details. This vulnerability was patched by WooCommerce in version 5.6.0 of the plugin, which was released on June 14, 2023.
  • The WooCommerce Payments plugin is vulnerable to authentication bypass via the determine_current_user_for_platform_checkout function. This allows unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, which can lead to site takeover. The vulnerability affects versions 4.8.0 through 5.6.1 of the plugin, which is installed on over 600,000 sites. The vulnerability allows an attacker to send a specially crafted request with a header that tricks the plugin into thinking that the request comes from an admin. This vulnerability was patched by WooCommerce in version 5.6.2 of the plugin, which was released on March 23, 2023.
  • The WooCommerce Payments plugin is vulnerable to cross-site scripting (XSS) via the payment_method parameter in the checkout page. This allows an attacker to inject malicious scripts that can execute in the browser of a visitor or an admin who views the page. The vulnerability affects versions 4.8.0 through 5.6.1 of the plugin, which is installed on over 600,000 sites. The vulnerability allows an attacker to steal cookies, session tokens, or other sensitive information from the victim’s browser. This vulnerability was patched by WooCommerce in version 5.6.2 of the plugin, which was released on March 23, 2023.

How to check if your site is affected and what are the actions required to mitigate it

If you are using WooCommerce payments on your WordPress site, you should check if your site is affected by any of the vulnerabilities mentioned above and take the necessary actions to mitigate them. Here are some steps you can follow to do that:

  • First, you should check the version of WooCommerce payments and WooCommerce Stripe payment gateway plugins that you have installed on your site. You can do this by going to your WP Admin dashboard, clicking on the Plugins menu item, and looking for WooCommerce payments and WooCommerce Stripe payment gateway in the list of plugins. The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed in the previous section, no further action is needed. If not, you should update to the latest version as soon as possible.
  • Second, you should check if there are any unexpected admin users or posts on your site that could indicate a successful exploit. You can do this by going to your WP Admin dashboard, clicking on the Users menu item, and looking for any users with the Administrator role that you don’t recognize or trust. You can also click on the Posts menu item and look for any posts that you didn’t create or approve. If you find any evidence of suspicious activity, you should delete the users or posts and change your passwords and API keys.
  • Third, you should update your passwords and API keys for any Admin users and payment gateways on your site, especially if they reuse the same passwords or keys on multiple websites. This will prevent any potential access or data leakage from compromised accounts or services. You can change your WordPress password by going to your WP Admin dashboard, clicking on the Users menu item, selecting your username, and entering a new password in the Account Management section. You can change your WooCommerce API keys by going to your WP Admin dashboard, clicking on the WooCommerce menu item, selecting Settings, clicking on the Advanced tab, and clicking on REST API. You can then edit or revoke any existing keys or generate new ones. For resetting other keys, please consult the documentation for those specific plugins or services.

How to protect your content in WooCommerce and make it more secure

Besides patching the vulnerabilities in WooCommerce payments and other plugins, there are other ways to protect your content in WooCommerce and make it more secure. Here are some tips and tools that you can use to enhance your WooCommerce security:

  • Keep Software Updated: Ensure that your WordPress core, WooCommerce plugin, themes, and other plugins are always up to date. Developers frequently release updates to address security vulnerabilities and bugs.
  • Limit Login Attempts: Install a plugin that limits the number of login attempts to prevent brute force attacks. This will lock out users or bots after multiple unsuccessful login attempts.
  • Secure Hosting: Choose a reputable and secure hosting provider that offers strong server-side security measures, including firewalls, intrusion detection, and regular security updates.
  • Regular Backups: Perform regular backups of your WooCommerce website. In case of a security breach or data loss, backups will help you quickly restore your site to a previous secure state.
  • Web Application Firewall (WAF): Consider using a web application firewall to filter and block malicious traffic, protecting your website from various online threats.
  • Disable Directory Listing: Prevent directory listing on your server to avoid exposing sensitive files to potential attackers.
  • Monitor Website Activity: Use security plugins that offer monitoring features to track and log suspicious activities, such as failed login attempts or changes to critical settings.
  • Set Proper Permissions: Ensure that file and directory permissions are correctly set to prevent unauthorized access to sensitive files.
  • Implement Content Security Policy (CSP): Set up a Content Security Policy to restrict which sources can execute scripts and other content on your website, reducing the risk of cross-site scripting attacks.
  • Regular Security Audits: Conduct periodic security audits of your WooCommerce site to identify potential vulnerabilities and address them promptly.
  • Use SSL certificates – These are a form of encryption that will make your site more secure. SSL certificates create a secure connection between your site and your customers’ browsers, ensuring that any data that is exchanged is encrypted and protected from hackers. SSL certificates also boost your SEO ranking and customer trust, as they display a padlock icon and HTTPS in your site’s URL. You can get an SSL certificate from your host or from a third-party provider . To enable SSL on your WooCommerce site, go to WooCommerce > Settings > Advanced and check the box that says “Force secure checkout”.
  • Use security plugins – These are plugins that add extra layers of protection to your site, such as firewalls, malware scanning, backups, login security, and more. Security plugins can help you prevent, detect, and recover from attacks, as well as monitor your site’s activity and performance. Some of the best security plugins for WooCommerce are Jetpack, Wordfence, Sucuri, and MalCare. You can search with those names for more information.
  • Use secure payment gateways – These are services that process payments on your site, such as PayPal, Stripe, Square, etc. Secure payment gateways ensure that your customers’ payment information is encrypted and transmitted safely to the payment processor, without storing it on your site. This reduces the risk of data breaches and fraud, as well as the liability and compliance issues that come with handling sensitive data. WooCommerce supports many secure payment gateways that you can choose from.
  • Use high-quality plugins – These are plugins that are well-coded, regularly updated, and compatible with WordPress and WooCommerce. High-quality plugins reduce the chances of conflicts, errors, or vulnerabilities that could compromise your site’s security or functionality. You should always use reputable sources for your plugins, such as the WordPress.org repository or the WooCommerce extension library. You should also avoid using nulled or pirated plugins, as they often contain malware or backdoors that can harm your site.
  • Use strong passwords – These are passwords that are hard to guess or crack by hackers or bots. Strong passwords consist of a combination of letters, numbers, symbols, and uppercase and lowercase characters. They should also be unique for each account or service that you use. You can use a password manager to generate and store strong passwords for you. You should also change your passwords regularly and never share them with anyone.
  • Use two-step verification – This is a method of authentication that adds an extra layer of security to your login process. Two-step verification requires you to enter a code or a token that is sent to your phone or email after you enter your username and password. This way, even if someone knows your password, they won’t be able to access your account without the code or token. You can enable two-step verification on your WordPress site using plugins like Jetpack or Google Authenticator .

After you have implemented all those best practices and taking proactive measures above, you are sure that you have significantly improved the security of your WooCommerce website and protect your valuable content and customer data.

(Visited 35 times, 1 visits today)
Avatar photo

Frank H. is a passionate information security practitioner. He was the earliest MCSE in 1995 and has more than 30 years of IT industry experience. He partners with Microsoft as a solution provider and security advisor for governments. He recently became a digital nomad and now travels the world with his family while fighting cyber adversaries.

Similar Posts

Behind the Firewall: VPNs as Lifelines for Modern-Day Journalists

Behind the Firewall: VPNs as Lifelines for Modern-Day Journalists

Avatar photoByFrank H

On a raining and cold afternoon, in the porch of my house in San Jose, California. I was having coffee with an old friend who’s a seasoned journalist, and she casually mentioned how crucial VPNs are for her line of work. That conversation opened my eyes to how journalists and activists navigate the digital landscape…

Protect Your Privacy: Understanding VPNs and Search History

Protect Your Privacy: Understanding VPNs and Search History

Avatar photoByFrank H

Online privacy is a major concern for many internet users today. With ISPs, advertisers, hackers and even governments trying to track your online activities and collect your personal data, you may wonder how you can protect yourself from unwanted surveillance and interference. One of the most popular and effective tools for enhancing your online privacy is…

Pinduoduo android app has been caught red-hand executed zero-day exploit on millions of devices

Pinduoduo android app has been caught red-hand executed zero-day exploit on millions of devices

Avatar photoByFrank H

If you are one of the millions of users who have downloaded the Pinduoduo android app, you might be in for a nasty surprise. The popular e-commerce app has been caught red-handed executing a zero-day exploit on unsuspecting devices, certainly compromising your personal data and security. In this blog post, I will explain what a…

Leave a Reply