A widespread phishing campaign targeting WooCommerce store owners has been identified, leveraging fabricated security vulnerability alerts to distribute malware. The attackers impersonate WooCommerce support teams, urging victims to download malicious patches under the guise of addressing critical flaws. This campaign, first reported by the Patchstack security team, employs advanced social engineering tactics to bypass traditional defenses1.
Technical Analysis of the Attack
The phishing emails originate from domains designed to mimic legitimate WooCommerce communications, such as [email protected] and [email protected]. One variant uses an Internationalized Domain Name (IDN) homograph attack with the domain woocommėrce.com, exploiting Unicode characters to evade detection2. The emails claim the existence of an “Unauthenticated Administrative Access” vulnerability and direct recipients to download a file named authbypass-update-31297-id.zip.
Upon execution, the malware payload creates hidden admin accounts with randomly generated usernames (8 characters long) and deploys web shells in the wp-content/uploads/wp-cached-* directory. Common web shells observed include P.A.S.-Fork and p0wny. The attackers then exfiltrate data to domains like woocommerce-services[.]com, which are controlled by the threat actors2.
Indicators of Compromise (IoCs)
Organizations should monitor for the following IoCs to detect potential compromises:
- Unusual admin accounts with random usernames
- Suspicious cron jobs (e.g.,
mergeCreator655) - Outbound connections to known malicious IPs
- Unexpected requests to
/wp-json/wc/store/products/collection-data
Mitigation and Response
For unaffected stores, security teams should verify that all security-related emails originate from @woocommerce.com or @automattic.com domains. Plugin updates should only be installed through the official WordPress dashboard, not via emailed links. Enabling two-factor authentication (2FA) and monitoring logs for suspicious activity are critical preventive measures2.
For compromised systems, immediate action is required. All API keys, including admin and payment gateway credentials, must be rotated. Security teams should conduct thorough scans using tools like Wordfence or Patchstack and restore systems from clean backups. The presence of web shells in the uploads directory warrants a complete system review, as these often persist even after superficial cleanup attempts2.
Historical Context and Related Vulnerabilities
This campaign shares similarities with the July 2021 WooCommerce SQL injection vulnerability (CVE-2021-24323), though it primarily relies on social engineering rather than technical exploits. It also mirrors previous “Fake CVE” phishing attacks targeting WordPress administrators2.
Separately, the WooCommerce Payments plugin vulnerability (CVE-2023-28121) affected over 600,000 sites, allowing attackers to impersonate administrators through server-side request forgery (SSRF). This vulnerability was patched in version 5.6.2 released in March 20233.
Conclusion
The WooCommerce phishing campaign demonstrates the increasing sophistication of social engineering attacks targeting e-commerce platforms. Security teams must remain vigilant against such threats, combining technical controls with user awareness training. Regular updates, strict email verification policies, and comprehensive monitoring are essential defenses against these evolving tactics.
References
- “WooCommerce Users Targeted by Fake Security Vulnerability Alerts,” GBHackers Security, 2025. [Online]. Available: https://gbhackers.com/woocommerce-users-targeted-by-fake-security/
- “WooCommerce Phishing Campaign (April 2025): Technical Analysis & Mitigation,” Internal Research, 2025.
- “Critical Vulnerability Detected in WooCommerce Payments: What You Need to Know,” WooCommerce Developer Blog, 2023. [Online]. Available: https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/
- “Massive Targeted Exploit Campaign Against WooCommerce Payments Underway,” Wordfence, 2023. [Online]. Available: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/
- “October 2024 Security Bulletin,” Qualcomm, 2024. [Online]. Available: https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2024-bulletin.html
- “Ricoh Security Vulnerability Announcements,” Ricoh USA, 2025. [Online]. Available: https://www.ricoh-usa.com/en/support-and-download/alerts/alerts-security-vulnerability-announcements
