Security vulnerability in Krokedil plugin for WooCommerce

We have been made aware of a critical security vulnerability in the Klarna Checkout for WooCommerce and Klarna Payments for WooCommerce plugins.

As soon as this became known to us, we made sure to take immediate action and fix the issue and released a patch that sorted the issue a few hours later.

The plugins registers one ajax function that installs, activates and deactivates add-on plugins for additional Klarna functionality. Via this vulnerability, logged in users could access this functionality for managing other plugins on the website. More information about the vulnerability can be found at wpvulndb.com.

Update to the latest version as soon as possible

During April 9, version 2.0.10 of Klarna Checkout for WooCommerce and version 2.0.7 of Klarna Payments for WooCommerce were released to fix this issue. Make sure to upgrade to the latest version (2.0.10+ for KCO & and 2.0.7+ for KP) as soon as possible via the plugin update screen in your WordPress admin area.

1. As a logged in admin, navigate to –> Dashboard –>Updates.
2. You should be able to see the version available for upgrade.
   
3. Tick the checkbox next to the plugin.
4. Click on the Update plugins button.
5. The plugin should now be updated.

Still on v1.x?

If you have a WooCommerce site running version 1.x of the Klarna Checkout plugin we also have released a fix in version 1.11.8. This version is available via wordpress.org & github.com. If you want to roll back to version 1.11.8 you can do this via the WP Rollback plugin.

1. Once the WP Rollback plugin is installed and activated, there will be a new action link named Rollback added to all plugins.
   
2. Click on Rollback and select version 1.11.8. Then click on the Rollback button.
   
3. A popup window is now displayed. Press the Rollback button.
   
4. The plugin is now being updated to version 1.11.8. Make sure that the plugin still is activated after the update.

When it comes to updating plugins, it is considered best practice, and recommended, to test the new version in a staging environment before doing changes in a live store.

If you have any questions, please get in touch with us via the support beacon in the bottom left corner on this page.

We are very sorry for any inconvenience this have caused you.