Critical Vulnerability detected in WooCommerce, 13 July 2021

According to the official sources, a critical vulnerability was identified in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).

While WordPress.Com and WordPress VIP stores have already been secured, WooCommerce has started rolling out automatic software updates to all stores running impacted versions of each plugin via forced security updates from WordPress.org.

Additionally WooCommerce is also reaching out to it’s subscribed customers via email, to inform them about the vulnerability and requesting them to respectively update WooCommerce and WooCommerce Blocks to the latest versions.

Even though the automatic updates are being rolled out, the store owners are encouraged to check & make sure they are running the latest version (5.5.1) .

The security announcement made by WooCommerce does not yet confirm that this vulnerability has been exploited. The team acted upon diligently after the vulnerability was identified and responsibly disclosed by security researcher Josh, via HackerOne security program. The vulnerability was patched within one day after it was identified.

As per WooCommerce team,

If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

At this point of time, much is not known about the details of the vulnerability and its exploitation, it is still recommended to take the following steps:

  1. Update WooCommerce and WooCommerce blocks to use the latest version of each of the plugins respectively.
  2. Review user accounts and update your store password.
  3. Run a malware scan to make sure your site is not compromised.
  4. Keep an eye on WooCommerce blog to learn more about the details as investigation is still in process.

References: