On 13th July 2021, WooCommerce, a major eCommerce plugin built for WordPress sites, announced critical vulnerabilities in WooCommerce plugins from version 3.3 to 3.5 and WooCommerce Blocks feature plugins from version 2.5 to 5.5. WooCommerce says it has deployed an automatic patch fix to all the affected stores.
Has any data been compromised?
The investigation is ongoing and there is not much clarity on whether data has been compromised, although WooCommerce assured it will keep store owners informed. WooCommerce also announced that the stores hosted on WordPress or WordPress VIP have already been secured. Additionally, they have started automatic updates of the highest plugin version for the stores to safeguard them against SQL injection attacks.
If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
— WooCommerce (@WooCommerce) July 14, 2021
Is your store safe? What actions should you take?
WordPress.org is currently pushing forced automatic updates to all vulnerable stores. WooCommerce merchants are still advised to update their passwords and ensure their stores are running the latest version i.e 5.5.1.
For merchants who find it disruptive to update to 5.5.1, WooCommerce released a patch that closes the vulnerability for each branch. So if a site is running on WooCommerce version 4.8, they are encouraged to update to 4.8.1 – before going ahead and updating to WooCommerce 5.5.1.
“Automatic software updates are rolling out now to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1.” says WooCommerce.
WooCommerce has included the full list of patched versions for WooCommerce and WooCommerce Blocks. It is advised you update immediately if running on a version not on this list.
WooCommerce has been transparent and the good news is that the vulnerability was not only responsibly disclosed but also patched within a day of identification. Let’s keep an eye on the latest updates from the company!