Single Blog

Critical Vulnerability in WooCommerce Payments Plugin Enables Site Takeover through User Impersonation

March 23, 2023, Written by 0 comment

A security vulnerability has been discovered in the WooCommerce Payments plugin by Automatic that poses a severe threat to the security of online stores and it classified as critical by Wordfence . It is recommended that users upgrade to the latest version of WooCommerce Payments as soon as possible.

The vulnerability enables unauthenticated attackers to impersonate any user and perform actions as if they were the genuine user, leading to a potential site takeover. The vulnerability exists due to the plugin’s failure to validate and verify user input, allowing an attacker to bypass authentication and take control of the website. An attacker could exploit this vulnerability by crafting a specially crafted request, which allows them to execute arbitrary code on the server and bypass authentication. This would enable the attacker to perform various actions as the impersonated user, such as changing the user’s account information, accessing sensitive information, or making unauthorized purchases.

This vulnerability could have significant implications for eCommerce sites that use the WooCommerce Payments plugin, as it could lead to significant financial losses, data breaches, and damage to the site’s reputation. An attacker could potentially gain access to sensitive information, such as customer data, payment information, and other confidential information.

The vulnerability affects all versions of the WooCommerce Payments plugin, and site owners are advised to update their plugins to the latest version immediately to mitigate the risk. It is also recommended to implement additional security measures such as web application firewalls, intrusion detection systems, and regular security audits to prevent future security incidents.


Andrew is a Wordpress enthusiast, web developer and founder of WP Care.