A bug in WooCommerce’s Payments plug-in is widely being exploited in the wild, despite a patch being available months ago, warns security researchers of several firms.

Hackers exploiting the concerned bug will be able to gain admin privileges of the targeted site to perform any high-level operation as desired. WordPress notes there are more than 600,000 installations for WooCommerce’s Payments plug-in to date.

A Critical Bug in WooCommerce Plug-in

WooCommerce is one of the best packages for running an online store, with its suite having a wide range of tools to aid your regular business. One among them is its payments plug-in, which lets the shop owners accept credit and debit card payments and has over 600,000 installations on WordPress.

Well, this plug-in is infected with a serious privilege escalation flaw, tracked as CVE-2023-28121, and was given a severity score of 9.8/10. WooCommerce developers discovered this flaw in March 2023 and said that versions 4.8.0 and higher are vulnerable.

A patch was made immediately available – with Automattic force-installing it on all the concerned WordPress sites, keeping them safe. But the website admins also must keep themselves updated to remain secure in the cyber world. This is also the need of the hour, as two security firms warn of actively exploiting the bug in the wild, putting all the WordPress websites running on vulnerable WooCommerce payment plugins at risk.

RCE Security said all that attackers need to do put the ‘X-WCPAY-PLATFORM-CHECKOUT-USER‘ request header and set it to the user ID of the account they wish to impersonate. This will enable them to gain the concerned user’s privileges quickly. Wordfence researchers noted a massive campaign targeting over 157,000 sites on Saturday, triggering the community.

Even before updating the plug-in, researchers advise admins to check their site for unusual PHP files and suspicious administrator accounts and delete them. Once done, update the WooCommerce Payment plugin to the latest version available.