WooCommerce Urges Store Owners to Immediately Update Their Store to Fix Security Vulnerability
WooCommerce sent out an email to store owners to immediately update their store to the latest version to fix a security vulnerability involving versions 3.3 to 5.5 and the WooCommerce Blocks feature plugin versions 2.5 to 5.5.
According to the email, stores hosted on WordPress.com and WordPress VIP have already been secured. WC is working with the WordPress.org Plugin Team to automatically update as many stores as possible to secure versions.
In addition, WooCommerce urges store owners to take the following added precautions to safeguard their site:
- Update to the latest version (5.5.1) or the highest number possible in the release branch.
- Store owners running the WooCommerce Blocks feature plugin should update it to the latest version (5.5.1).
WooCommerce did not provide many details on this security vulnerability and said its investigation is ongoing and it would share updates about the issue on its blog.
However, they did reveal that affected stores may have order, customer, and administrative data exposed. Therefore, while it doesn’t appear to include critical customer payment and financial data, it may include proprietary and competitive information most businesses would not want to share.
WooCommerce said it jumped on the information once it learned about on Tuesday it and has been working around the clock to investigate the issue, audit all related codebases, and release a patch for every impacted version (90+ releases).
At the time of publishing, only 7.2% of WooCommerce installations are using version 5.5+. More than half of stores (51.7%) are running on a version older than 5.1. WordPress.org doesn’t offer a more specific breakdown of the older versions, but it’s safe to say without these backported security fixes, the majority of WooCommerce installs might be left vulnerable.
The security announcement indicates that WooCommerce cannot yet confirm that this vulnerability has not been exploited:
Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
For those who are concerned about possible exploitation, the WooCommerce team is recommending merchants update their passwords after installing the patched version as a cautionary measure.
The good news for WooCommerce store owners is that this particular critical vulnerability was responsibly disclosed and patched within one day after it was identified. The plugin’s team has committed to being transparent about the security issue. In addition to publishing an announcement on the plugin’s blog, WooCommerce also emailed everyone who has opted into their mailing list. Concerned store owners should keep an eye on the WooCommerce blog for a follow-up post on how to investigate if their stores have been compromised.