Automattic, the company behind the WordPress content management system, is forcibly installing a security update on hundreds of thousands of websites running the hugely popular WooCommerce payments for online stores.

The patch fixes a critical vulnerability that may allow unauthenticated attackers to gain admin access to vulnerable stores.

This flaw was reported by Michael Mazzolini of GoldNetwork, and it affects WooCommerce Payments 4.8.0 and higher.

WordFence said unauthenticated attackers can exploit the bug to “impersonate an administrator and take complete control of a website without any user interaction or social engineering”, while Patchstack warns that since “this vulnerability does not require any authentication, it is very likely that it will be exploited very soon in mass”.

WooCommerce team fixed it in security updates posted earlier today and says it has found no evidence that this critical bug is being targeted or exploited in the wild.

“At this time, we have no evidence that the vulnerability has been exploited beyond its identification in our own security testing program. We do not believe that any store or customer data has been compromised as a result of this vulnerability”, said Beau Lebens, Head of Engineering at WooCommerce.

“We immediately disabled the affected services and mitigated the issue for all websites hosted on WordPress.com, Pressable and WPVIP.”

Security update deployed to some vulnerable sites

The vulnerable WooCommerce online stores hosted on WordPress.com are being updated or have already been updated to fix the vulnerability.

“We have sent out a patch and worked with the WordPress.org plugins team to automatically update sites running WooCommerce Payments 4.8.0 to 5.6.1 to the patched versions. The update is currently rolling out automatically to as many stores as possible,” Lebens added.

Administrators hosting a WordPress installation on their own servers will need to manually update WooCommerce using the following procedure:

1. From your WP Admin dashboard, click on the plugins menu item and search WooCommerce Payments in your list of plugins.
2. The version number should be displayed in the Description column next to the plugin name. If this number matches one of the fixed versions listed below, no further action is necessary.
3. If a new version is available for download, you should see a notice guiding you to update WooCommerce payments – please go ahead and do it.

Patched versions of WooCommerce Payments: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.

Check for signs of compromise

After securing their stores, admins are advised to check newly added admin users and suspicious posts added to their websites.

If you find evidence of unexpected activity, you should immediately update all administrator passwords and turn WooCommerce payment gateway and API keys.

“We also recommend that you modify any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways, etc., depending on your particular setup. store,” Lebens said.

“We encourage anyone who supports or develops for other WooCommerce merchants to share this information and ensure that their customers with WooCommerce Payments installed are using the most recent version of WooCommerce Payments.”

This WordPress plugin has over 500,000 active installs and can be used to provide store customers with easy to set up and manage payment.