WordPress WooCommerce Payments Plugin Vulnerability via @sejournal, @martinibuster
Automattic, publishers of the WooCommerce plugin, announced the discovery and patch of a critical vulnerability in the WooCommerce Payments plugin.
The vulnerability allows an attacker to gain Administrator level credentials and perform a full site-takeover.
Administrator is the highest permission user role in WordPress, granting full access to a WordPress site with the ability to create more admin-level accounts as well as the ability to delete the entire website.
What makes this particular vulnerability of great concern is that it’s available to unauthenticated attackers, which means that they don’t first have to acquire another permission in order to manipulate the site and obtain admin-level user role.
WordPress security plugin maker Wordfence described this vulnerability:
/wp-content/plugins/woocommerce-payments/includes/platform-checkout/class-platform-checkout-session.php