According to the official sources, a critical vulnerability was identified in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).
While WordPress.Com and WordPress VIP stores have already been secured, WooCommerce has started rolling out automatic software updates to all stores running impacted versions of each plugin via forced security updates from WordPress.org.
Additionally WooCommerce is also reaching out to it’s subscribed customers via email, to inform them about the vulnerability and requesting them to respectively update WooCommerce and WooCommerce Blocks to the latest versions.
Table of Contents
Ensure Update ASAP
Even though the automatic updates are being rolled out, the store owners are encouraged to check & make sure they are running the latest version (5.5.1) .
The security announcement made by WooCommerce does not yet confirm that this vulnerability has been exploited. The team acted upon diligently after the vulnerability was identified and responsibly disclosed by security researcher Josh, via HackerOne security program. The vulnerability was patched within one day after it was identified.
As per WooCommerce team,
If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
Vulnerability Details
At this point of time, much is not known about the details of the vulnerability and its exploitation, it is still recommended to take the following steps:
- Update WooCommerce and WooCommerce blocks to use the latest version of each of the plugins respectively.
- Review user accounts and update your store password.
- Run a malware scan to make sure your site is not compromised.
- Keep an eye on WooCommerce blog to learn more about the details as investigation is still in process.
References:
- Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know
- WooCommerce Patches Critical Vulnerability, Sending Forced Security Update from WordPress.org
See Also:
- Adsterra Malware Cleanup: How to Remove Adware from Your Site
- Malcure — Pioneers in Proactive Web Security
- Website Security & Protection: How to Secure a Website
- A critical security vulnerability in Essential Addons for Elementor Patched. Is your site still vulnerable?
- A Critical Privilege-Escalation Vulnerability in All in One SEO plugin — Millions of WordPress Websites Affected