Safeguard your WooCommerce store ASAP from a recently detected WooCommerce critical vulnerability
On July 13th a critical SQL-injection vulnerability was identified in WooCommerce, versions 3.3 to 5.5, and in the separate WooCommerce Blocks feature plugin, versions 2.5 to 5.5.
On July 13th a critical SQL-injection vulnerability was identified in WooCommerce, versions 3.3 to 5.5, and in the separate WooCommerce Blocks feature plugin, versions 2.5 to 5.5.
This does not apply to sites hosted on WordPress.com and WordPress VIP as WooCommerce confirms WooCommerce on these type of WordPress sites has already been secured. Any other WordPress site (e.g., wordpress.org) using any of these compromised WooCommerce versions is vulnerable to having its sensitive data exposed.
What are the dangers of this vulnerability?
The vulnerability detected can result in sensitive user data being exposed, such as user IDs and hashed passwords, as well as product order data, payment-card details, and administrative information such as employee credentials.
Do we know yet if any site owners have had their data compromised?
Investigations are still ongoing, at present WooCommerce cannot deny or confirm whether or not any store owners have had their data compromised.
To forensically determine if a WordPress site has been impacted, Wordfence researchers say that reviewing log files might provide a clue.
“Look for a large number of repeated requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files. Query strings which include %2525 are an indicator that this vulnerability may have been exploited on your site.” – Wordfence
What is WooCommerce doing to resolve this?
At present, WooCommerce has created an emergency patch fix for each of the impacted versions (90+) of WooCommerce and WooCommerce Blocks which was provided, and is being automatically deployed, by WordPress, as a forced update.
Some store owners reported yesterday, as of Thursday afternoon, 15th July, that they have not yet received the patch update.
It’s recommended store owners still check manually and contact WooCommerce Support if they have not yet received the patch update. WooCommerce also recommends store owners change their administrative passwords after patches are installed as a matter of caution.
WooCommerce have emailed their store owner mailing list alerting them to the issue. Any WooCommerce store owners not on this mailing list will not have received this notification so it is advised they get in touch with WooCommerce Support.
For now, the WooCommerce team’s investigation and auditing work is still ongoing.
What do WooCommerce online store owners need to do on their end?
WooCommerce recommends all WooCommerce store owners still using these outdated versions should update them to their latest plugin as a matter of highest priority.
They recommend first updating to the highest/newest version of whatever WooCommerce version these store owners are running by referring to their specific Release Branch. This will ensure the site is not vulnerable anymore.
So, as an example, if a store owner is using WooCommerce 4.8 they had best update it to 4.8.1 first (highest number in this branch) and THEN update it to 5.5.1. More information regarding these versions can be found here.
“Automatic software updates are rolling out now to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1.” – WooCommerce
What do store owners need to do BEFORE updating WooCommerce and WooCommerce Blocks?
Take a full website backup before updating these (or any) plugins so you have a version to revert back to in case anything goes wrong after updating (e.g., latest versions could be incompatible with other plugins, page elements may have broken, lead forms may have broken etc.).
Taking backups before any major changes or updates is simply best practice.
Do you need help?
If you require help with updating your WooCommerce plugin versions contact WooCommerce Support.
What's next, Kook?
A meeting with us costs NOTHING. Even if you have an inkling you aren't getting the results you'd expect, let's have a chat.