Security News > 2023 > March > WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!
Interestingly, WooCommerce suggests that even if attackers had found and exploited this vulnerability, the only information about your logon passwords they'd have been able to steal would have been so-called salted password hashes, and so the company has written that "It's unlikely that your password was compromised".
As a result, it's offering the curious advice that you can get away without changing your admin password as long as [a] you're using the standard WordPress password management system and not some alternative way of handling passwords that WooCommerce can't vouch for, and [b] you're not in the habit of using the same password on multiple services.
Forgive us for asking, but you don't share passwords between any sites, let alone sharing the admin account password to your e-commerce system, do you?
The company does urge you to "Chang[e] any private or secret data stored in your WordPress/WooCommerce database", notably including data such as authentication tokens, session cookies, or API keys - the jargon names given to what are essentially temporary passwords that your browser can add to future web requests to get immediate access.
These "Part-time passwords" are there to allow the server to infer that you went through a full-on logon process recently enough for you and your pre-authorised apps to be trusted, without forcing you to share your actual primary password with every app or brower tab that's going to be making programmatic requests on your behalf.
WooCommerce suggests that you should be OK even if you don't change your password, because attackers would need to crack any stolen password hashes first.