Wooed by the Fake Patch: WooCommerce sites breached by backdoor plugin

In a sophisticated phishing campaign targeting WooCommerce users, unknown threat actors have launched a large-scale attack that exploits fake security alerts to deploy backdoors on WordPress-based e-commerce sites. What begins as a warning about a critical vulnerability ends with full compromise of the victim’s website—stealthily executed through a rogue plugin masquerading as a patch.

The phishing hook: A Patch too good to be true

The attack starts with a convincingly crafted email urging WooCommerce site owners to install a security update to fix a (non-existent) "Unauthenticated Administrative Access" vulnerability. The attackers use IDN homograph attacks to spoof the official WooCommerce domain, directing recipients to a near-identical copy of the WooCommerce Marketplace.

The malicious domain—woocommėrce[.]com, where the standard "e" is replaced by a visually similar "ė"—hosts a ZIP archive named authbypass-update-31297-id.zip, presented as a critical security patch. The goal? To lure administrators into downloading and installing the fake plugin.

The Targets: SMEs With privileged access

The primary victims are small and medium-sized businesses running WooCommerce-powered online stores. These organizations often operate with limited technical oversight, yet their administrators hold privileged access to customer data, payment records, and the core infrastructure of their e-commerce platforms. That combination makes them a valuable and vulnerable target.

The breach: From plugin to full takeover

Once installed, the fake plugin silently creates a hidden administrator account with randomized credentials and sets up a cron job that executes every minute to maintain persistence. It then exfiltrates the newly created credentials and the site’s URL to an external server (woocommerce-services[.]com/wpapi) before fetching a secondary, obfuscated payload from other attacker-controlled domains. This payload deploys a set of web shells—including P.A.S.-Fork, p0wny, and WSO—while the plugin conceals both itself and the rogue admin account from WordPress dashboards to evade detection.

With full remote access to the compromised site, attackers gain control over key functions and sensitive data. They can inject spam or malicious ads, redirect traffic to fraudulent destinations, conscript the server into a botnet for distributed denial-of-service (DDoS) attacks, or even encrypt critical site files and demand ransom. Additionally, they can harvest login credentials and metadata for resale or to fuel further attacks across other platforms.

Defense measures: How to protect your platform

To defend against this campaign and similar future threats, website administrators should:

• Scan for unknown or suspicious plugins and hidden administrator accounts

• Delete unverified or unofficial plugins and ZIP files

• Block access to phishing and spoofed domains

• Keep WooCommerce and WordPress installations fully up to date

• Train teams to identify fake CVEs and IDN-based domain spoofing

• Use application firewalls and intrusion detection systems to catch anomalies

This campaign underscores the importance of vigilance and verification in cybersecurity. Even seasoned administrators can fall victim when the bait is well-crafted and the urgency feels real. The line between a patch and a trap has never been thinner—so treat every unsolicited update request with caution.

If you run a WooCommerce store, now’s the time to double-check your plugins, review admin accounts, and ensure your security practices are not just up to date, but proactive.

https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html