Phishing Campaign Targets WooCommerce Stores with Fake Security Alerts

Recently, a sophisticated phishing campaign targeted WooCommerce store owners by falsely reporting critical vulnerabilities, then tricking victims into installing malware – disguised as an essential security patch..

Security researchers and WooCommerce’s team have issued alerts to help make store owners aware and keep themselves safe.

We summarize everything you need to know about the ongoing campaign, how to identify phishing attempts, and what to do if you feel the campaign has affected you.

How The Phishing Campaign Works?

The phishing campaign begins with an email that appears to be legitimate and comes from WooCommerce, following up on a warning about a critical security vulnerability that an attacker supposedly discovered around April 14, 2025.

The email continues to incite fear and claims attackers are actively exploiting this vulnerability, and one must act quickly to download a “security patch.”

The emails are often disguised to come from addresses like [email protected] or [email protected] – which allow attackers to impersonate WooCommerce communications or similar.

The phishing email directs you to download a security patch and leads you to a phony site designed to replicate WooCommerce’s real site. That domain name has only been slightly altered with a homograph attack (for example, used “ë” instead of the “e”) in an ardent attempt to trick you.

Also Read: A Security Vulnerability in WooCommerce Stripe Gateway Affects Over 900K Websites

The fake security patch you are being offered to download has a malicious plugin that installs the backdoors and web shells attackers use to keep access to your compromised site persistently.

Why These Emails Are Fake?

While the phishing emails look urgent and official – some red flags that give away the fraud are easy to point out in the emails. The sender’s addresses are not any of WooCommerce’s official domains like WooCommerce.com or Automattic.com.

WooCommerce always sends communications to customers from trusted spaces; for example, WooCommerce sends users to WordPress.org to download, and WooCommerce always provides a sufficient explanation and documentation outlining the steps users are to take that concludes the download process.

WooCommerce never tells store owners to simply install patches to their sites by sending users third-party links – they always provide the proper documentation.

What Happens If You Fall Victim?

If a store owner downloaded and installed the malicious plugin presented to them through a phishing email, it could potentially compromise the security and privacy of their WooCommerce store far beyond any financial damages to their store.

Many of the types of malware will give attackers unauthorized access to the store and allow attackers to steal customer data, insert more forms of malicious code, change functionality, and potentially take over control of your store.

The problem goes further than damages to the store– if the store owner is falling victim to this scam, it could have repercussions for their reputation, and if customer data is mismanaged because of the attacker’s actions, it could even result in legal action being taken against the store owner.

What to Do If You Installed the Malicious Plugin?

If you have already installed the malicious plugin, immediate steps must be taken to limit the damage:

• Disconnect your site temporarily to prevent further exploitation.
• Identify and delete any unauthorized admin users, especially those with random 8-character names.
• Remove suspicious cronjobs that were automatically created.
• Scan for hidden web shells in the wp-content/uploads/ directory.
• Check for unusual outgoing connections to domains like woocommerce-services[.]com or woocommerce-help[.]com.
• Restore your site from a clean backup if available.
• Change all login credentials, including database passwords.
• Implement a thorough security audit with a trusted cybersecurity service.

Since attackers adapt quickly once exposed, it’s important not to rely solely on static indicators (like filenames) but instead review all recent changes and server activities.

WooCommerce’s Response

WooCommerce, a product of Automattic, has promptly addressed this phishing threat by communicating with users through the official channels associated with their services.

They noted that they do not send direct patch files via email, and that patching security vulnerabilities associated with WooCommerce comes with an update through the WordPress dashboard, or it is made on WordPress.org, or a trusted development platform.

The company is working to deactivate the phishing domains utilized for this campaign, and recommends that all WooCommerce store owners adopt security measures, including:

• Keep your plugins and themes up to date from the dashboard at all times;
• Enabling security updates automatically;
• Utilizing strong passwords with Two-Factor Authentication (2FA) enabled;
• Only trusting downloads known to you are safe to download.

It is advisable for users who are ever unsure about the security of their website to contact the support for WooCommerce directly from WooCommerce.com.

Prevent Phishing and Vulnerabilities with SiteLock Security

Prevent phishing and vulnerabilities with SiteLock Security and keep your WooCommerce store protected from the latest threats. The best prevention is proactive prevention.

Do not let your website fall victim to something like this phishing campaign or give your customers the reason to lose trust in your business by jeopardizing their data.

Protect your WooCommerce store from potential attacks and vulnerabilities with our complete WooCommerce Security solution. Trusted business, trusted site.