The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Hackers Exploit Critical WooCommerce Payments Bug

Hackers Exploit Critical WooCommerce Payments Bug
Author Image Husain Parvez
Husain Parvez Published on 20th July 2023 Cybersecurity Researcher

According to a recent post by Ram Gall, a threat analyst at the WordPress security firm Wordfence, an undisclosed group of hackers have initiated a campaign targeting a recently disclosed vulnerability in the WooCommerce Payments plugin. The campaign began on July 14th, with the intensity of the attacks reaching its climax on July 16th, when approximately 1.3 million attacks targeted 157,000 websites in a single day.

The critical vulnerability (named CVE-2023-28121) was identified by developers on March 23rd, 2023. The vulnerability was given a CVSS score (Common Vulnerability Scoring System) of 9.8, deeming it as “Critical” in severity. This is because the vulnerability allows unauthenticated attackers to gain administrative privileges on vulnerable websites.

Although WooCommerce initially stated that there were no known instances of active exploitation of the vulnerability at the time, researchers cautioned that given the critical nature of the bug, it was highly probable that we would witness exploitation in the future.

This vulnerability specifically impacts WooCommerce Payment plugin versions 4.8.0 and above. When the bug was first disclosed, the developers behind the WooCommerce Payments plugin promptly released version 5.6.2 to patch the vulnerability. The fix is implemented in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, as well as any subsequent releases.

Due to the severity of the vulnerability, which enables remote users to impersonate administrators and gain full control over WordPress sites, Automattic took the proactive step of force-installing the security fix on WordPress installations that utilized the affected plugin. However, this automatic update was not applied to WordPress sites that were hosted on the user’s own servers. In such cases, a manual update was required.

Due to this, many website owners failed to update their plugin with this critical patch, leaving their sites vulnerable to attack.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.