We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Hackers Exploit Critical WooCommerce Payments Bug

Hackers Exploit Critical WooCommerce Payments Bug
Husain Parvez Published on 20th July 2023 Cybersecurity Researcher

According to a recent post by Ram Gall, a threat analyst at the WordPress security firm Wordfence, an undisclosed group of hackers have initiated a campaign targeting a recently disclosed vulnerability in the WooCommerce Payments plugin. The campaign began on July 14th, with the intensity of the attacks reaching its climax on July 16th, when approximately 1.3 million attacks targeted 157,000 websites in a single day.

The critical vulnerability (named CVE-2023-28121) was identified by developers on March 23rd, 2023. The vulnerability was given a CVSS score (Common Vulnerability Scoring System) of 9.8, deeming it as “Critical” in severity. This is because the vulnerability allows unauthenticated attackers to gain administrative privileges on vulnerable websites.

Although WooCommerce initially stated that there were no known instances of active exploitation of the vulnerability at the time, researchers cautioned that given the critical nature of the bug, it was highly probable that we would witness exploitation in the future.

This vulnerability specifically impacts WooCommerce Payment plugin versions 4.8.0 and above. When the bug was first disclosed, the developers behind the WooCommerce Payments plugin promptly released version 5.6.2 to patch the vulnerability. The fix is implemented in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, as well as any subsequent releases.

Due to the severity of the vulnerability, which enables remote users to impersonate administrators and gain full control over WordPress sites, Automattic took the proactive step of force-installing the security fix on WordPress installations that utilized the affected plugin. However, this automatic update was not applied to WordPress sites that were hosted on the user’s own servers. In such cases, a manual update was required.

Due to this, many website owners failed to update their plugin with this critical patch, leaving their sites vulnerable to attack.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.