The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2 with a changelog entry marked simply “Security update.”
After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.
We developed a Proof of Concept and began writing and testing a firewall rule immediately.
Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.
[ed note: All clients of ProtectYourWP.com have already been updated]
Source and more details: https://www.wordfence.com/blog/2023/03/psa-update-now-critical-authentication-bypass-in-woocommerce-payments-allows-site-takeover
See also: https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/