Security-Stop-Press : Websites Hijacked Through WooCommerce Plugin Flaw

Wordfence warned that large-scale attacks are under way against a vulnerability (CVE-2023-28121) in the in the WooCommerce Payments WordPress plugin.

The flaw in the plugin, which is installed on over 600,000 sites, gives attackers authentication bypass so they can impersonate arbitrary users, and perform some actions, including as an administrator, potentially leading to site takeover.

Wordfence says patches for the bug were released by WooCommerce in March 2023, and WordPress has issued auto-updates to sites using affected versions of the plugin.