Tuesday, May 13, 2025
Homecyber securityWooCommerce Users Targeted by Fake Security Vulnerability Alerts

WooCommerce Users Targeted by Fake Security Vulnerability Alerts

Published on

SIEM as a Service

Follow Us on Google News

A concerning large-scale phishing campaign targeting WooCommerce users has been uncovered by the Patchstack securpity team, employing a highly sophisticated email and web-based phishing template to deceive website owners.

The attackers behind this operation warn users of a fabricated “Unauthenticated Administrative Access” vulnerability in their WooCommerce installations, urging them to download a supposed patch from a malicious website.

Sophisticated Phishing Campaign Mimics Official Alerts

Strikingly similar to the previously reported “Fake CVE” phishing attack on WordPress users, this campaign uses near-identical email formatting, security-themed messaging, and malware concealment techniques, suggesting it may be orchestrated by the same group or heavily inspired by their methods.

- Advertisement - Google News
WooCommerce Users
fake WooCommerce Marketplace page

The phishing email, masquerading as an official WooCommerce alert, originates from a deceptive address, help@security-woocommerce[.]com, and directs users to a fraudulent site using an IDN homograph attack with the domain woocommėrce[.]com note the subtle “ė” replacing the standard “e” to mimic the legitimate WooCommerce Marketplace.

Technical Breakdown of the Malicious Payload

Clicking the “Download Patch” button in the email leads victims to a counterfeit WooCommerce Marketplace page, where they are prompted to download a malicious ZIP file named authbypass-update-31297-id.zip.

Once installed and activated as a plugin, this file operates covertly, leveraging legitimate WordPress hooks to disguise its nefarious activities.

Upon activation, the plugin creates a cronjob with a randomized name like “mergeCreator655” in WP Cron, attempting every minute to generate a hidden administrator account with an obfuscated username and random password.

It then sends base64-encoded data including the new credentials and site URL to an attacker-controlled server, woocommerce-services[.]com/wpapi, via an HTTP GET request.

Further, the plugin downloads additional obfuscated payloads from domains such as woocommerce-help[.]com/activate and woocommerce-api[.]com/activate, installing multiple PHP-based web shells like P.A.S.-Fork, p0wny, and WSO into a directory named wp-cached-<random string> within wp-content/uploads.

These shells grant attackers near-total control over the compromised server, enabling potential exploits such as injecting ads, redirecting users to malicious sites, stealing billing data, launching DDoS attacks, or deploying ransomware by encrypting the site or holding database backups hostage.

According to Patchstack Report, the plugin also hides itself from the WordPress plugin list and conceals the rogue administrator account to evade detection.

Importantly, this campaign poses no threat unless the malicious plugin is downloaded and installed.

Neither WordPress nor WooCommerce would ever request manual patch installations; legitimate updates are always released through official channels as version updates.

Indicators of compromise include an 8-character random username, unusual cronjob names, suspicious folders like authbypass-update in wp-content/plugins, or outgoing requests to domains like woocommerce-services[.]com.

As awareness of this scam spreads, attackers are likely to adapt, changing domain names and other markers to bypass flagging by security services and registrars.

Website owners are urged to remain vigilant, scrutinize emails claiming urgent security fixes, and rely solely on official sources for updates to protect their WooCommerce installations from such deceptive and damaging phishing tactics.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...