Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know

Escrito por Beau Lebens on julio 15, 2021 Blog, News.

Last Updated: July 23, 2021

On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.

Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.

I have a WooCommerce store – what actions should I take?

Automatic software updates to WooCommerce 5.5.1 began rolling out on July 14, 2021, to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.2* or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1 of that plugin.

Important: With the release of WooCommerce 5.5.2 on July 23, 2021, the auto-update process mentioned above has been discontinued.

After updating to a patched version, we also recommend:

  • Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

There’s more information about these steps below.

* WooCommerce 5.5.2 was released on July 23, 2021. The fixes contained in this version are unrelated to the recent security vulnerability.

How do I know if my version is up-to-date?

The table below contains the full list of patched versions for both WooCommerce and WooCommerce Blocks. If you are running a version of WooCommerce or WooCommerce Blocks that is not on this list, please update immediately to the highest version in your release branch.

Patched WooCommerce versionsPatched WooCommerce Blocks versions
3.3.62.5.16
3.4.82.6.2
3.5.92.7.2
3.6.62.8.1
3.7.22.9.1
3.8.23.0.1
3.9.43.1.1
4.0.23.2.1
4.1.23.3.1
4.2.33.4.1
4.3.43.5.1
4.4.23.6.1
4.5.33.7.2
4.6.33.8.1
4.7.23.9.1
4.8.14.0.1
4.9.34.1.1
5.0.14.2.1
5.1.14.3.1
5.2.34.4.3
5.3.14.5.3
5.4.24.6.1
5.5.14.7.1
5.5.24.8.1
4.9.2
5.0.1
5.1.1
5.2.1
5.3.2
5.4.1
5.5.1

Why didn’t my website get the automatic update?

Your site may not have automatically updated for a number of reasons, a few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 3.3), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 5.5.2, 5.4.2, 5.3.1, etc), as listed in the table above.

Has any data been compromised?

Based on the current available evidence we believe any exploit was limited.

If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

How can I check if my store was exploited?

Due to the nature of this vulnerability, and the extremely flexible way that WordPress (and thus WooCommerce) allows web requests to be handled, there is no definitive way of confirming an exploit. You may be able to detect some exploit attempts by reviewing your web server’s access logs (or getting help from your web host to do so). Requests in the following formats seen between December 2019 and now likely indicate an attempted exploit:

  • REQUEST_URI matching regular expression /\/wp-json\/wc\/store\/products\/collection-data.*%25252.*/
  • REQUEST_URI matching regular expression /.*\/wc\/store\/products\/collection-data.*%25252.*/ (note that this expression is not efficient/is slow to run in most logging environments)
  • Any non-GET (POST or PUT) request to /wp-json/wc/store/products/collection-data or /?rest_route=/wc/store/products/collection-data

Requests that we have seen exploiting this vulnerability come from the following IP addresses, with over 98% coming from the first in the list. If you see any of these IP addresses in your access logs, you should assume the vulnerability was being exploited:

  • 137.116.119.175
  • 162.158.78.41
  • 103.233.135.21

Which passwords do I need to change?

It’s unlikely that your password was compromised as it is hashed

WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.

This assumes that your site is using the standard WordPress password management for users.  Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.

If any of the Administrator users on your site might have reused the same passwords on multiple websites we recommend you update those passwords in case their credentials have been compromised elsewhere. 

We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways and more, depending on your particular store configuration.

As an extension developer or service provider, should we alert our WooCommerce merchants?

If you work with any live WooCommerce store or merchant, we encourage you to work with them to make sure they know about this issue, and/or update their store to a secure version.

If you have built an extension or offer a SaaS service that relies on the WooCommerce API, we encourage you to help merchants reset the keys to connect to your service. 

As a store owner, should I alert my customers? 

Whether you alert your customers is ultimately up to you. Your obligations to notify customers or reset things like passwords will vary depending on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised. 

The most important action you can take to protect your customers is to update your version of WooCommerce to a version that has been patched with a fix for this vulnerability. 

After updating, we recommend:

  • Updating the passwords for any Administrator users on your site, especially if you reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

As the store owner it is ultimately your decision whether you want to take additional precautions such as resetting your customers’ passwords. WordPress (and thus WooCommerce) user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach is applied to all user passwords on your site, including your customers’ passwords.

Is WooCommerce still safe to use?

Yes.

Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency. 

Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed. 

Our continued investment in platform security allows us to prevent the vast majority of issues – but in the rare cases that could potentially impact stores, we strive to fix quickly, communicate proactively, and work collaboratively with the WooCommerce Community.

What if I still have questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

268 Responses

  1. Daniel
    julio 15, 2021 at 1:13 am #

    This vulnerability affected sites without blocks installed? Did you send warnings to all sites affected? (I don’t know if I was, I’ve updated my sites to 5.5.1 manually after reading this post) thanks!!!

    • Kevin Bates
      julio 15, 2021 at 1:19 am #

      Hi, Daniel.

      This vulnerability affected sites without blocks installed?

      Yes, WooCommerce versions 3.3 to 5.5.

      Did you send warnings to all sites affected?

      We sent out an email to our mailing list as well.

      I’ve updated my sites to 5.5.1 manually after reading this post) thanks!!!

      Thank you for quickly updating!

      • danielspain22
        julio 15, 2021 at 1:25 am #

        Ok, if i didn’t receive a personalized mail or automatic update to my site(hosted outside wordpress.com) it means that wasn’t affected in the meantime(1 day) between 5.5 update and 5.5.1 manual update?

        • Kevin Bates
          julio 15, 2021 at 1:30 am #

          Unfortunately your store still may have been vulnerable in that timeframe.

          We can only email users who have opted-in to our mailing list, and auto-updates aren’t always possible.

          However, now that you have updated, you are running the patched version.

          • danielspain22
            julio 15, 2021 at 1:39 am #

            Ok, but you’ll disclose a way to check if the site was attacked?(verifying our logs or any other way?) Do we need to changes admin passwords just in case?
            Sorry for asking, but as merchants is very worrying, iv’e updated an hour ago when you published the notice in social media.
            Thanks in advance to the woo team!

          • Kevin Bates
            julio 15, 2021 at 2:32 am #

            Out of caution it is a good idea to update your passwords after installing the pached version.

            We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

            Thank you!

          • Erin
            julio 15, 2021 at 3:20 pm #

            You mention updating passwords along with updating to the patched version. Can you provide more detail of which passwords? Are you referring to WordPress Admin passwords? Payment processor passwords? Thank you!

      • huskyoatmealkleopatra83965
        julio 15, 2021 at 9:13 am #

        My site is currently broken, I tried updating my plugins yesterday. Since then there is a critical error and I am not able to access WordPress, please assist me.

        • Laura Nelson
          julio 15, 2021 at 10:20 am #

          Hi there,

          We’re really sorry to hear that!

          Please open a ticket with our Support team: https://woo.com/my-account/create-a-ticket/ who’ll be able to help resolve this issue for you.

          Thanks,

          Laura

      • Alex
        julio 15, 2021 at 12:26 pm #

        So, is it safe with WooCommerce 5.4.1 and without blocks plugin?
        My client is worried because we do not know what the vulnerability actually is…

        • Laura Nelson
          julio 15, 2021 at 12:57 pm #

          Hi Alex,

          If you’re running WooCommerce 5.4.1 you should update to 5.4.2.

          We’re still investigating the issue, and will share more information on our blog when we’re able to do so.

          Thanks,

          Laura

      • Anise
        julio 16, 2021 at 11:46 pm #

        What if the WooCommerce plug in won’t allow you to update, it gives this huge error with pink background. Should I just delete the plugin alltogether?

        • Laura Nelson
          julio 17, 2021 at 2:19 pm #

          Hi Anise,

          If you’re experiencing issues with updating, please contact our team of Happiness Engineers: https://woo.com/my-account/create-a-ticket/

          They’ll be able to assist you with this process.

          Thanks,

          Laura

          • gizo1989
            julio 24, 2021 at 7:04 pm #

            If i stay on woo 5.5.1 version it problem and risk with me?

      • Knox Bronson
        agosto 10, 2021 at 8:35 pm #

        How can I update WooCommerce when I get this warning? No guarantee the site will still work. I’ve been avoiding updates for a while. And now this vulnerability alert from you. What do you suggest I (we) do?

        The following active plugin(s) have not declared compatibility with WooCommerce 5.0 yet and should be updated and examined further before you proceed:

        Plugin Tested up to WooCommerce version
        WooCommerce Table Rate Shipping 4.5
        Plug’n Pay Direct Gateway for WooCommerce unknown
        As this is a major update, we strongly recommend creating a backup of your site before updating.

        • Laura Nelson
          agosto 11, 2021 at 10:12 am #

          Hi Knox,

          An updated version of WooCommerce containing the security patch has been made available for each release branch, which should negate the need for a major update at this time.

          For example, if you’re using 4.9.2, you can update to the patched version in that branch – 4.9.3 – instead of jumping straight to 5.0.1 or higher.

          You can find a list of all patched versions in the table above – if you’re currently running one of these versions, then you do not need to update. If you’re not using a patched version, you can find a direct download for each release branch on this page: https://developer.woocommerce.com/releases/.

          You should not update to WooCommerce 5.0 as this is not a secure version.

          Thanks,

          Laura

    • redes6039
      julio 15, 2021 at 9:32 am #

      Stupid beginners question. What is meant with “blocks”? Is that a separate plugin or included extra plugin? Is it “blocks” the complete name? I am confused.

    • Md Sherazul Islam
      julio 28, 2021 at 5:31 pm #

      How. I can’t do it.

  2. John Cook
    julio 15, 2021 at 1:47 am #

    Do you think WordPress.org will be pushing a forced update to patch this?
    I’m currently working through client websites one by one

    • Kevin Bates
      julio 15, 2021 at 2:22 am #

      Hi, John.

      Yes!

      We provided the patch to WordPress.org and automatic software updates are rolling out now to all stores running impacted versions of each plugin.

      However, we’re urging everyone check and manually update if needed just in case.

      • Khamoosh
        julio 16, 2021 at 6:08 am #

        Recommandez-vous de passer à une autre plate-forme au lieu de WooCommerce car elle est toujours piratée. Il a des trous de sécurité. Et personne du support ne s’en soucie car c’est gratuit.

    • Chris
      julio 15, 2021 at 2:22 am #

      Unless i’m misunderstanding, I don’t think a forced updated is possible on self-hosted/Wordpress.org sites, right? To be safe I just went all the way up to 5.5.1 on everything I manage, although the new point releases for each branch released today should have the patch, according to this page: https://developer.woocommerce.com/releases/

      • John Cook
        julio 15, 2021 at 4:21 am #

        @Chris, it’s a little known and rarely used capability of the WordPress security team. They pushed a forced update for the loginizer plugin in October of last year and it looks as though they’ll do the same for this one

      • Krzysiek Dróżdż
        julio 15, 2021 at 7:51 am #

        Automattic security team has the ability to force update on themes and plugins – there is such solution implemented in update system.

        It has been already used few times, AFAIR.

  3. Sharif Jameel
    julio 15, 2021 at 1:50 am #

    Glad it was patched quickly. That’s a lot of versions & a long time for a vulnerability to be out there… Has there been any indication that the vulnerability was being actively exploited?

    • Kevin Bates
      julio 15, 2021 at 3:25 am #

      Sharif,

      Our investigation into this vulnerability and whether data has been compromised is ongoing.

      Hopefully we’ll know more soon.

      Thank you!

      • tishuk
        julio 15, 2021 at 5:23 pm #

        Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages. When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.

        Is there any information you can share that could help me (or other concerned bystanders) to forensically determine if we were impacted? Maybe some diagnostic error log messages or URL patterns?

        • Laura Nelson
          julio 16, 2021 at 10:55 am #

          Hi there,

          The team is still investigating the issue, and will share more details as soon as they’re able to do so.

          In the meantime, please ensure that you’re running the latest version of WooCommerce in your release branch and update any admin passwords

          Thanks,

          Laura

          • Laura Nelson
            julio 22, 2021 at 11:45 am #

            Hi again,

            Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this.

            Laura

  4. julierachlin1
    julio 15, 2021 at 2:05 am #

    So I am clear – WooCommerce v3.3 to 5.5 are vulnerable to this exploit? 3.3?? Blocks or no blocks?

    • Kevin Bates
      julio 15, 2021 at 2:23 am #

      Yes, that is correct.

  5. Stef
    julio 15, 2021 at 2:37 am #

    Were/Are any third-party plug-ins compromised?

    • Stef
      julio 15, 2021 at 2:45 am #

      And should we alert our WooCommerce merchants?

    • Kevin Bates
      julio 15, 2021 at 2:54 am #

      Hi, Stef.

      From what we know at this time only WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5) are affected.

      I’d also suggest notifying your merchants to make sure they’ve updated.

      Thank you!

      • LAURA MALFATTO
        julio 15, 2021 at 4:13 am #

        Hi, I have immediately updated after reading your email. But I have woo-commerce 5.4.2 and blocks 5.3.2
        It’s enough? Thanks!

        • Beau Lebens
          julio 15, 2021 at 4:53 am #

          Those are both patched versions, so you are safe from this vulnerability. If you are running the Blocks plugin separately, we do suggest you always keep it on the latest version since the only reason to run it separately is to get more recent features. If you don’t need that, then you can just uninstall the separate Blocks plugin, since a stable version is always bundled with WooCommerce Core now.

  6. Josh
    julio 15, 2021 at 2:47 am #

    Hello – We have just updated our site to the latest version in our release branch 3.6.6 (14/07/21). Can you please confirm this release contains the security fix for the vulnerability in this article?

    • Kevin Bates
      julio 15, 2021 at 3:02 am #

      Hi, Josh.

      Yes, WooCommerce 3.6.6 contains the security patch.

      Thanks!

  7. Phil
    julio 15, 2021 at 3:12 am #

    So, just to be clear, if we are using 5.4.1 and update to 5.4.2 it will be okay?

    Or do we need to update to 5.5.1 from that branch?

    • John Pallister
      julio 15, 2021 at 3:17 am #

      5.4.2 is fine.

      However, if you are using WooCommerce blocks on your site, then you should update to 5.5.1

      • LAURA MALFATTO
        julio 15, 2021 at 4:08 am #

        Hi, I read now and immediately updated but: for me the latest version is 5.4.2 (woo-commerce) and 5.3.2 (blocks)
        It’s enough?
        Thanks!

      • Phil
        julio 15, 2021 at 5:20 am #

        Thanks John 🙂

  8. druekberg
    julio 15, 2021 at 3:36 am #

    I can’t update. I started to update from my phone, but it fails. Also, tried moving the Autoupdate slider from Off to On, but it keeps sliding back to Off. On the computer I went to my website, but get “Briefly unavailable for scheduled maintenance. Check back in a minute.” 15 minutes now. I filled out a support ticket, but maybe you can let others know what to do in this situation.

    • Kevin Bates
      julio 15, 2021 at 3:49 am #

      Sorry to hear that!

      I’m sure our support team will be able to help you figure out what’s going on.

      It may also be worth contacting your hosting provider’s support as well just in case the issue is on their end.

      Thank you!

    • David Bracken
      julio 15, 2021 at 3:58 am #

      If you can FTP into your site, or access the file manager through your host’s control panel, find the file called maintenance.php and delete it. It will be it the main hierarchy of your site, inside the httpdocs directory, or where you find the wp-content, wp-admin, etc. directories. Try updating again after that. If you still can’t update, certainly reach out to Woocommerce or your host, but if it were me, I’d back up the plugin and then reinstall it.

      Hope that helps.

      • druekberg
        julio 15, 2021 at 4:31 am #

        Thanks Kevin, I reached out to my support team, but I’m not sure how many hours I will have to wait for them to get this resolved.

        Thanks David, before I could track down that php file, the site returned from maintenance mode. However, the WooCommerce plugin had disappeared. I tried to reinstall, but that failed.

        • druekberg
          julio 15, 2021 at 5:32 am #

          Fixed it. I renamed the WC installation and recovered my plugins, including WC, from a backup. I didn’t realize the restore would wipe the directory, so for anyone in my position, move the renamed WC folder outside the plugins folder in case you need it. In my case, the restore worked, and then I updated WC to 5.5.1. Things appear to be working.

          • bringmeict
            julio 15, 2021 at 9:16 am #

            Woke up to a similar situation. Website was on maintenance mode (from Plesk), after disabling maintenance mode and login to the WP admin backend I was greeted with errors that Woocommerce was missing. Under plugins, no WC visible. Could not upload the plugin via the backend for a reinstall, some generic error.
            Checked via FTP and the WC folder was totally missing from plugins directory. Extracted the latest version and uploaded it manually to this directory. After that everything was fine again. I’ve got auto updates enabled for every plugin, first time it caused havoc to be honest.

  9. Derek
    julio 15, 2021 at 4:13 am #

    Hello – it looks like I am on 3.4.8 – this would be the latest patched version for my ‘branch” – correct? Do I still need to update to 5.5.1? – when I try to, I get a major update warning and it shows the majority of my plugins say that haven’t been tested past version 3.2-4.5 etc ..so am I good to leave it as is? – or do I need to install 5.5.1? Thanks!

    • Beau Lebens
      julio 15, 2021 at 4:58 am #

      This specific vulnerability is patched in that version, yes.

      That being said, that is a *very* old version of WooCommerce, so we would strongly suggest that you explore a path to being to update. This is an extreme case where we “backported” a security fix back to many previous versions, but we constantly release improvements to security, performance, and functionality, which normally only ship in the latest version usually (5.5.1 as of right now).

      • derek
        julio 15, 2021 at 5:52 am #

        gotcha thank you …should I just go ahead and hope all my plugins will work? The warning is showing the majority of them haven’t been tested yet with that 5.x.x version

        • Ryan Ray
          julio 15, 2021 at 2:22 pm #

          Hi Derek,

          I wouldn’t personally say to update from 3.4.8 up to 5.5.1 without testing this first say on a staging copy of your current site. If your host doesn’t offer that option, we’d recommend WP Staging for quickly spinning up a new test site.

          Lots has changed from WooCommerce 3.4.8, like template files, functions, etc… so the chances are higher you would run into compatibility issues if your other extensions weren’t also updated for WooCommerce 5+ compatibility.

          The important thing is that now your store is secure from this known vulnerability and you have the time to plan and test updating to the latest version of WooCommerce. 🙂

          • Derek
            julio 21, 2021 at 3:52 am #

            Thanks so much Ryan, I will check into the staging and start work on a test sight to see if we can seamlessly upgrade ..Thanks again for the help!

  10. Kaizen
    julio 15, 2021 at 5:41 am #

    Is this vulnerability related to the unescaped attributes filter and is there any way to audit whether this attack has been performed on your site? Do you suggest any other mitigation other than the update?

    • dawgyg
      julio 15, 2021 at 5:45 am #

      blocking access to the API without being authenticated prevents the exploit.

      as for IOC’s its a GET request, so there will be logs showing it being exploited in the web server (nginx or apache) logs.

    • Laura Nelson
      julio 15, 2021 at 10:58 am #

      Hi Kaizen,

      > Is this vulnerability related to the unescaped attributes filter

      We’re currently still investigating the issue, and will share details on our blog when we’re able to do so.

      > is there any way to audit whether this attack has been performed on your site?

      If your store keeps request logs, you can check this log to find out if anything looks unusual. If you’re not sure if this is possible on your store, you can chat with your hosting company about this.

      We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

      > Do you suggest any other mitigation other than the update?

      At present, no. We will be contacting store owners directly if any further action is required.

      Thanks,

      Laura

    • Laura Nelson
      julio 22, 2021 at 11:47 am #

      Hi Kaizen,

      Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,
      Laura

  11. bhalstrom
    julio 15, 2021 at 5:49 am #

    Upgraded to latest version and cannot get Revenue Analytics to load, causing 502 errors. Any ideas why this would happen?

    • Laura Nelson
      julio 15, 2021 at 10:34 am #

      Hi there,

      We’d recommend contacting our Support team directly about this! You can open a ticket here: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

    • James
      julio 20, 2021 at 6:06 am #

      Same issue, massive 502 issues. After attempting on production site, stupid me.. (always update on a staging site if possible or in maintenance mode with backup) I have copied the site to staging now and still same issue.

  12. Gerardo Venegas
    julio 15, 2021 at 5:57 am #

    We were hacked. What know? We have a back up but a week old!! cause I stoped using the automatic back ups!

    • ellevatedesigns
      julio 15, 2021 at 6:02 am #

      That’s rough man… I would suggest a couple of things:

      1. Revert your files (**NOT THE DATABASE**) to the backed up version.
      2. Update to the latest version in your branch by downloading the .zip here: https://developer.woocommerce.com/releases/
      Extract manually via the server to update.
      3. Use Wordfence (free version) to scan the site – it’s good at detecting malware and modified files.

      3a. IF Wordfence finds some bad files, you’ve got problems – try and scan your logs to see what IP address was accessing them, then search your database to see if there are any matching sessions, and check the user_id (indicating a weak password on a user-account).
      3b. Delete the files, and scan again until clean.

  13. ellevatedesigns
    julio 15, 2021 at 5:57 am #

    For anyone wondering “Is my version patched” — here is the releases page: https://developer.woocommerce.com/releases/

    If you’re using the latest of your branch, it’s patched.

    Cheers,
    C.

    • Ryan Ray
      julio 15, 2021 at 2:25 pm #

      Thanks so much for sharing this. We’ve also updated the post with a table of the correct patched versions everyone should be using.

  14. Jatinder
    julio 15, 2021 at 6:08 am #

    I have my site at 5.4.1 version. Should I upgrade it to 5.5.1 manually ? I am only getting option to update version to 5.4.2 in wordpress updates page.

    • ellevatedesigns
      julio 15, 2021 at 6:09 am #

      5.4.2 is the latest release for your branch, update to that and you’re good.

      Here is the releases page: https://developer.woocommerce.com/releases/

    • poetrix53
      julio 16, 2021 at 8:03 am #

      I have two payments listed on my site which have not come through to my bank acc. Please advise. My plugin was up to date.

      Thanks

      • Laura Nelson
        julio 16, 2021 at 10:59 am #

        Hi there,

        Please get in touch with our team of Happiness Engineers directly – https://woo.com/my-account/create-a-ticket/

        They’ll be able to help investigate the cause of this issue for you.

        Laura

  15. Chris
    julio 15, 2021 at 7:25 am #

    I updated WooCommerce through wordpress and all WordPress tables have vanished. My support team are rolling back to yesterday’s database.
    @#%#@!

  16. iableorg
    julio 15, 2021 at 7:30 am #

    I see you pay $1k for reporting this. Considering how much is at risk you might want to raise the motivation for good hackers to review WC.

  17. iki
    julio 15, 2021 at 7:37 am #

    Hi
    I got your email, thanks for the advice…

    I have a few questions…

    I had version 5.4.1, wordpress gives me the version 5.4.2 to update (not 5.5.1)

    why wordpress won´t mention ver 5.5.1 to me?
    what depends on the update process?…

    I thought we were always going to the latest version,
    (I thought I was up to date with my version until yesterday that I got your email)

    why will it be ok to update to 5.4.2 if there is 5.5.1 (even thou is not present in my updates page…)

    Thanks in advance

    • laughthisoff
      julio 15, 2021 at 10:35 am #

      You’re confusing WordPress itself (currently 5.7.2) and Woocommerce (now 5.5.1). Woocommerce is a plugin for WordPress. The issue here has been with Woocommerce, not WordPress itself.

      • IKI
        julio 15, 2021 at 5:41 pm #

        Hi laughthisoff… no no..
        I’m referring to woocommerce versions..

        In my site I have version 5.4.1, AND wordpress gives me as a choice the version 5.4.2 of woocommerce to update

        But Woocommerce was saying to update to version 5.5.1 WICH WordPress in not giving me as update possibility

        I am not confused with or about wordpress (I have 5.7.2 for wordpress, but it has nothing to do with my questions)

        Cheers

    • Laura Nelson
      julio 15, 2021 at 12:26 pm #

      Hi Iki,

      WooCommerce 5.4.2 is the correct version to update to based on your release branch, and contains the security patch.

      If you’d like to update to 5.5.1, you should see the option to do so once you’ve updated to 5.4.2.

      If you experience any issues with this, feel free to contact one of our Happiness Engineers here: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  18. Damien
    julio 15, 2021 at 7:54 am #

    Is the vulnerability there if Woocommerce or Woocommerce blocks files are present but the plugin is deactivated? We’re a hosting company and we have a bunch of customers who have inactive woocommerce plugins in their codebases. I assume they tried it at one point then changed their minds or something…

    are those deactivated plugin files safe or do they also need to be updated?

    Thank you for all your hard work!

    • Laura Nelson
      julio 15, 2021 at 11:19 am #

      Hi Damien,

      Deactivated plugin files are safe, but we do still recommend updating to the latest version in case any of your customers decide to reactivate them again in the future.

      Thanks,

      Laura

  19. Jon Ichiro
    julio 15, 2021 at 8:12 am #

    Hi!

    I have an auto-update feature on for all my plugins and when I got the email notif earlier, I checked the plugin and it has been automatically updated to version 5.5.1. I’m not sure how instant the auto-update feature on wordpress is but should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?

    Thanks!

    • Laura Nelson
      julio 15, 2021 at 11:10 am #

      Hi Jon,

      > I checked the plugin and it has been automatically updated to version 5.5.1

      Excellent. Ensuring that you’re running the latest version of WooCommerce available is the recommended course of action right now.

      > should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?

      We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

      Thanks,

      Laura

      • Laura Nelson
        julio 22, 2021 at 11:48 am #

        Hi Jon,

        Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

        Thanks,

        Laura

  20. Fabio
    julio 15, 2021 at 8:24 am #

    From 5.0.0 to 5.0.1 is safe? Thanks

    • Laura Nelson
      julio 15, 2021 at 11:12 am #

      Hi Fabio,

      Yes, WooCommerce 5.0.1 contains the security patch.

      Thanks,

      Laura

  21. Haja Kutbudeen
    julio 15, 2021 at 8:35 am #

    Thanks your email, may i know about that vulnerability ? what is that exactly ? how its affect my Ecommerce site ?

    • Laura Nelson
      julio 15, 2021 at 11:15 am #

      Hi Haja,

      Our investigation into this vulnerability is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

      In the meantime, please ensure you’re running the latest versions of WooCommerce and WooCommerce Blocks, as they contain the security patch.

      Thanks,

      Laura

      • Laura Nelson
        julio 22, 2021 at 11:49 am #

        Hi Haja,

        Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

        Thanks,

        Laura

  22. suneth
    julio 15, 2021 at 8:50 am #

    We have lot’s of customization and combined with other plugins, so it’s hard to update the version soon, so can you provide targeted patch or info about vulnerability , so we can apply some fix without update full

    • Laura Nelson
      julio 15, 2021 at 12:33 pm #

      Hi Suneth,

      Updating to the latest branch version should avoid this problem. For example, if you’re running 5.4.1, updating to 5.4.2). This shouldn’t conflict with any customizations unless you’ve made them inside the WooCommerce plugin (which we strongly recommend against doing).

      I hope that helps,

      Laura

      • Suneth
        julio 15, 2021 at 2:12 pm #

        The problem is I’m using Version 3.6.6 🙂 and it cannot update to latest version directly

        • Ryan Ray
          julio 15, 2021 at 2:28 pm #

          Hi Suneth,

          Just confirming for you, WooCommerce 3.6.6 is a patched version that includes the security fix for this vulnerability discovered.

          If you’re using 3.6.6 your site is secure from this vulnerability. 🙂

  23. Mauro
    julio 15, 2021 at 8:56 am #

    Morning,

    After reading your email I upgraded to version 5.4.2.

    As soon as I updated I was given the option to upgrade to 5.5.1 and I upgraded to this version.

    Is the site now secure?

    • Laura Nelson
      julio 15, 2021 at 11:16 am #

      Hi Mauro,

      Yes, both versions 5.4.2 and 5.5.1 contain the security patch, so you’re safe to use either of those.

      Laura

  24. Marco
    julio 15, 2021 at 9:51 am #

    Hi, thanks for the notification and the update.
    Can this vulnerability be exploited also when the WooCommerce plugin is disabled? (i.e. not Active in WordPress). I can see my WooCommerce has been updated, but I’m not currently using it yet, so it is disabled…

    • Laura Nelson
      julio 15, 2021 at 11:22 am #

      Hi Marco,

      Deactivated plugin files are safe, but we do still recommend ensuring WooCommerce has been updated to a patched version in case you decide to reactivate it in the future.

      Thanks,

      Laura

  25. Milos
    julio 15, 2021 at 9:53 am #

    Hello,

    I am using WooCommerce on few of my old websites (In both WordPress network and single website wordpress). Current version is 3.8.2 in all websites.

    I saw that Kevin Bates said that version 3.6.6 contains security patch. Does this mean that 3.8.2 is safe, too?

    • Laura Nelson
      julio 15, 2021 at 11:25 am #

      Hi Milos,

      Yes, WooCommerce 3.8.2 contains the security patch.

      Cheers,

      Laura

  26. Mona
    julio 15, 2021 at 10:00 am #

    Hello,

    i have updated my shops to 5.5.1.I dont use wp blocks and haven´t installed it as a plugin. But in Woocommerce Status it says: WooCommerce Blocks-Paket: 5.3.2

    Is that normal. Or must i do something. Thanx in advance.

  27. David
    julio 15, 2021 at 10:05 am #

    Hey,

    is there a list of all patched version available?

    If not, are 5.2.2 and 5.3.1 patched versions?

    Thanks & best regards,
    David

    • Laura Nelson
      julio 15, 2021 at 11:28 am #

      Hi David,

      > is there a list of all patched version available?

      You can see the full list of releases here: https://developer.woocommerce.com/releases/, with the latest versions of each listed.

      We’ll be getting this added to the blog post ASAP.

      >are 5.2.2 and 5.3.1 patched versions?

      5.2.2 is not a patched version, so you’ll need to update this to 5.2.3.

      5.3.1 is a patched version.

      Thanks,

      Laura

  28. Mikael
    julio 15, 2021 at 10:28 am #

    I have Woocommerce 4.8.0 installed and WordPress offers update to 4.8.1. Am I safe if I install 4.8.1? Does it fix this issue?

    I have a critical production site so I would rather install a minor patch now if it fixes the issue and upgrade to Woocommerce 5.x later.

    • Laura Nelson
      julio 15, 2021 at 11:29 am #

      Hi Mikael,

      Yes, WooCommerce 4.8.1 is the updated version containing the security patch.

      Thanks,

      Laura

  29. Alex
    julio 15, 2021 at 10:29 am #

    Hi i run a third party plugin “Germanized for WooCommerce” and it seems like this plugin is not compatible with the newest version of woocommerce.

    Woocommerce got an auto update today from 4.8.0 to 4.8.1. Is the problem solved now?

    Thank you,
    Alex

    • Dennis
      julio 15, 2021 at 10:52 am #

      Germanized, considering you are using the latest version works just fine with the latest Woo version: https://wordpress.org/plugins/woocommerce-germanized/

      • Alex
        julio 15, 2021 at 11:15 am #

        I am not quite sure which one i should update first?

        WordPress? (current Version 5.6.4)
        Woocommerce? (currenct 4.8.1)
        Woocommerce germanized? (current 3.3.1)
        Woocommerce germanized pro? (current 3.1.0)

        Is the Woocommerce Version 4.8.1. safe now or not?
        I am not sure if its a good idea to upgrade Woocommerce to a 5.x.x Version….i am afraid of crashing my website.

        • Laura Nelson
          julio 15, 2021 at 11:34 am #

          Hi Alex,

          As this critical vulnerability concerns the WooCommerce plugin, we highly recommend ensuring this is up to date first.

          The version you mention, 4.8.1, contains the security patch so there’s nothing else you need to do here until you’re ready to update to the latest version (5.5.1).

          Thanks,

          Laura

        • Gareth
          julio 15, 2021 at 11:49 am #

          Hi Alex,

          I am not quite sure which one i should update first?

          If you need any assistance on how to update WooCommerce safely, this step-by-step guide may be useful.

          Thanks.

  30. Janet
    julio 15, 2021 at 11:34 am #

    I have a site on 3.1.2 Does this mean I’m unaffected?

    • Laura Nelson
      julio 15, 2021 at 11:52 am #

      Hi Janet,

      Yes, 3.1.2 is unaffected. However, that is a *very* old version of WooCommerce, so we would strongly recommend that you explore a path to being up to date.

      This is an extreme case where we “backported” a security fix back to many previous versions, but we constantly release improvements to security, performance, and functionality, which normally only ship in the latest version usually (5.5.1 as of right now).

      Thanks,

      Laura

      • Janet
        julio 15, 2021 at 12:05 pm #

        Thanks Laura,

        What do you mean old, it’s not even 4 years yet!
        😉

        Appreciate the attention to the older versions that are affected though. And the speedy response.

  31. Michael
    julio 15, 2021 at 11:41 am #

    Just wanted to say thank you. I am impressed how many branches you patched. You even patched very very old versions! You are doing a great favor with that to people having older legacy installations. Thank you for that.

    • Laura Nelson
      julio 15, 2021 at 11:55 am #

      Hi Michael,

      Thank you for the kind feedback – we’ve shared this with the team!

      Laura

  32. Niall Flynn
    julio 15, 2021 at 11:46 am #

    Adding a sales pitch into this warning makes it a little odd. “Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager: https://my.wpengine.com/products/smart_plugin_manager to your plan today! ” I think this really weakens the alert status and many clients saw this as a sales opp bundled with a WC issue. How critical is this?

    • Laura Nelson
      julio 15, 2021 at 12:03 pm #

      Hi Niall,

      Thanks for bringing this to our attention!

      It looks like this was from a communication handled by the team at WPEngine – not WooCommerce.

      I’m afraid we have little control over how third-parties communicate this issue, but would appreciate it if you could share with us where you saw this message so that we can provide feedback.

      Thank you!

      Laura

  33. Per
    julio 15, 2021 at 12:33 pm #

    For those searching for details, here’s a list of patched WooCommerce versions (current as of 2021-07-15).
    Either update manually or wait for the update to be pushed if you have patch-releases lower than these:
    – WooCommerce 3.3.6
    – WooCommerce 3.4.8
    – WooCommerce 3.5.9
    – WooCommerce 3.6.6
    – WooCommerce 3.7.2
    – WooCommerce 3.8.2
    – WooCommerce 3.9.4
    – WooCommerce 4.0.2
    – WooCommerce 4.1.2
    – WooCommerce 4.2.3
    – WooCommerce 4.3.4
    – WooCommerce 4.4.2
    – WooCommerce 4.5.3
    – WooCommerce 4.6.3
    – WooCommerce 4.7.2
    – WooCommerce 4.8.1
    – WooCommerce 4.9.3
    – WooCommerce 5.0.1
    – WooCommerce 5.1.1
    – WooCommerce 5.2.3
    – WooCommerce 5.3.1
    – WooCommerce 5.4.2
    – WooCommerce 5.5.1

    • Ryan Ray
      julio 15, 2021 at 2:36 pm #

      Thanks so much Per, we’ve also added this to the post too!

  34. SteveB
    julio 15, 2021 at 12:40 pm #

    Hi Great work

    Just wanted to check – You mention earlier “as a precaution to change passwords”. Could you please confirm if you are referring just to any related woocommerce user accounts such as the shop-manager or also the wordpress user accounts such as admin/editor etc?

    • Ollie
      julio 15, 2021 at 1:42 pm #

      Yes good question. I would like clarification on this please.

      Many thanks

      • SteveB
        julio 15, 2021 at 8:47 pm #

        Hi,

        It would be really good to get an official respone.

        Also wanted to check if we need to consider changing any payment gateway public and private api keys?

        • Laura Nelson
          julio 22, 2021 at 12:11 pm #

          Hi Steve,

          Just to let you know that our original post has now been updated with further details in regards to updating passwords and API keys.

          Thanks,

          Laura

  35. Lirol
    julio 15, 2021 at 12:53 pm #

    Hey,

    I’m using a modified version of woocommerce 3.7 (so I can’t just update it straight away). Just to be sure I fixed manually the vulnerability, was the vulnerability located in woocommerce\includes\data-stores\class-wc-webhook-data-store.php and the risk was SQL injection right because you skipped the usage of $wpdb->prepare for the search query right?

    Best regards

  36. Tobias
    julio 15, 2021 at 1:38 pm #

    Hi there,

    I have 4 Websites with Woocommerce. 2 were updated automatically at 4:34 and 5:37 am german time. But the 2 other installs didn’t get the automatic updates.

    All sites have define(‘WP_AUTO_UPDATE_CORE’, ‘minor’); in wp-config. All sites had version 5.5 installed.

    Could you tell me why auto update worked on 2 sites and why not on the 2 others?

    BEST!

    • Kevin Bates
      julio 16, 2021 at 12:18 am #

      Hi, Tobias.

      It’s difficult to know why some of your sites didn’t auto-update.

      With a patch as important as this, we recommend checking and doing so manually if needed – which sounds like you already did!

  37. Oliver Jones
    julio 15, 2021 at 1:48 pm #

    Is this the vulnerability in question?

    CVE-2021-24323 … https://nvd.nist.gov/vuln/detail/CVE-2021-24323

    Please make it a practice always to publish the CVE number on the US National Vulnerability Database, or some other vulnerability reference number, when giving notices or patches like this.

    And thank you for staying ahead of this.

    • nanoprobes
      julio 15, 2021 at 2:08 pm #

      Oliver Jones, I’m sure bureaucracy is the last thing on their mind. In fact, it’s the complete opposite of bureaucracy why this was fixed this so fast.

    • Bill
      julio 15, 2021 at 2:38 pm #

      Follow the WPScan source and you will see this was patched in Version 5.2.0.

    • Roger
      julio 15, 2021 at 9:01 pm #

      That’s not it. that’s XSS. This one’s a SQL Injection vulnerability and apparently has not yet been assigned a CVE number yet, according to reports on security sites like WordFence and others. If it had been assigned then it would have been cited in reports. This is not unusual when something is happening this fast.

  38. Alex
    julio 15, 2021 at 2:19 pm #

    Hi i have another problem – i updated Woocommerce to the latest version and my woocommerce germanized plugin is active, but:

    Germanized is inactive. This version of Germanized requires WooCommerce 3.9 or newer. Please update WooCommerce to version 3.9 or newer »

    Can you help me?
    Thx,
    Alex

    • Kevin Bates
      julio 16, 2021 at 12:15 am #

      Hi, Alex!

      The newest version of WooCommerce is 5.5.1, which is quite a bit newer than 3.9.

      Is it possible there’s a newer version of Germanized that is also updated for newer versions of WooCommerce?

      Thanks!

  39. 925health
    julio 15, 2021 at 2:25 pm #

    Hello,

    When using the hand picked block from Gutenberg editor or trying to modify any of my product pages, I keep getting the following message:

    Updating failed. The response is not a valid JSON response.

    I have also received an email from WordPress itself saying my website has a technical issue see below:

    Error Details
    An error of type E_ERROR was caused in line 87 of the file /ho/nin/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/Note.php. Error message: Uncaught Error: Call to undefined method Automattic\WooCommerce\Admin\Notes\Notes::load_data_store() in /ho/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/Note.php:87
    Stack trace:
    #0 /home4/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/MobileApp.php(40): Automattic\WooCommerce\Admin\Notes\Note->_construct()
    #1 /nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/NoteTraits.php(67): Automattic\WooCommerce\Admin\Notes\MobileApp::get_note()
    #2 //nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Events.php(112): Automattic\WooCommerce\Admin\Notes\MobileApp::possibly_add_note()
    #3 /h/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Events.php(95): Automattic\WooCommerce\Admin\Events->possibly_add_notes()
    #4 /ho/nin/public_html/wp-includes/class-wp-hook.php(292): Automattic\WooCommerce\Admin\Events->do

    These errors have occurred at the same time … so it looks as though they are linked … I’ve already contacted my host and tried to make manual fixes but nothing is working … I cannot update my product pages at all.

    Please advise … is this issue aware of? Will it be fixed? It was working fine but has stopped somewhere in the last 48 hours.

    Thanks

    • 925health
      julio 15, 2021 at 2:26 pm #

      P.S I have automatic updates on so it’s running the latest patch but still not working.

      Thanks

    • Alex
      julio 17, 2021 at 9:28 pm #

      What was the solution after you contacted woocommerce directly? This is ONE of the problems I’m having. I was almost starting to wonder if I’d been compromised, but bandwidth to my site is below 3MB for the past 24 hours so if I’m compromised, it’s a sleeper that takes up bytes.

  40. livinglotuschocolate
    julio 15, 2021 at 2:27 pm #

    This looks more serious than I thought it to be initially. Are there specific countries that perhaps, may have been more vulnerable to this or? Should we also alert our users to change their password or admin-level password changes are enough?

    • Gareth
      julio 15, 2021 at 5:41 pm #

      Hi there, thanks for your questions.

      Whether you alert your users to change their password is ultimately your decision to make. Your obligations to notify customers or reset things like passwords will vary depending on things like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised.

      We will be sharing more information with site owners on how to check their own site, which we will publish on our blog when it is ready.

      Our investigations so far have not indicated any specific countries or regions are more vulnerable than any others.

    • Laura Nelson
      julio 22, 2021 at 12:13 pm #

      Hi there,

      Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

  41. Golden Boy
    julio 15, 2021 at 3:14 pm #

    I’m running WooCommerce 3.9.4 according to “WooCommerce->Status” menu. Is this a correct place to check the version?

    The release date of 3.9.4 under the Woo “Releases” page is 2021-07-14″.

    So I have to update to the 2021-07-14 release, correct?

    The release is a zip file. Can I just install as a “Add New” plug in on top of the existing? Or do I uninstall the existing first?

    • Gareth
      julio 15, 2021 at 3:36 pm #

      Hi there,

      If you’re running 3.9.4, your site is already on the fixed patch – you don’t need to update anything anymore.

    • Ollie
      julio 15, 2021 at 7:33 pm #

      Quick question. I have updated a number of sites to their next release version. Are these versions patched or do I have to go to 5.5.1?

      Thanks

      • Kevin Bates
        julio 16, 2021 at 12:12 am #

        Hi, Ollie!

        As long as they are the latest versions in their release branch you’ll be running the patched version.

        We’ve added a table in the post above so you can check and be sure.

        Thanks!

    • Holly Nelson
      julio 16, 2021 at 2:11 am #

      We discovered this on July 4th. We have been cleaning and recovering sites for a week and deleting WooCommerce from these sites. How is it that it took this long for it to be made public? We have been scouring the Internet for information for a week.

      • Laura Nelson
        julio 16, 2021 at 11:52 am #

        Hi Holly,

        We were only alerted to the vulnerability on July 13 (via HackerOne). Upon receiving the alert, the team immediately started their investigation and rolled out a security fix.

        If you knew about the issue sooner and have more information to share, the team would be really interested in hearing from you – you can reach out to them here: https://hackerone.com/automattic/

        Thanks,

        Laura

        • Holly Nelson
          julio 16, 2021 at 2:00 pm #

          Thanks for letting me know the reporting protocol. I’ll work with hosting server admin to report what we know.

        • Steve West
          julio 16, 2021 at 4:29 pm #

          How can we check to verify our hosted WC sites haven’t been compromised? Does this vulnerability allow remote SQL injection, uploads malware to site, or something else?

          • Laura Nelson
            julio 16, 2021 at 4:48 pm #

            Hi Steve,

            The team is still investigating this issue, and will release more details as soon as we’re able to do so.

            In the meantime, please ensure you’re using a patched version of WooCommerce (as detailed in the post above).

            Thanks,

            Laura

          • Laura Nelson
            julio 22, 2021 at 12:14 pm #

            Hi Steve,

            Our original blog post, above, has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

            Thanks,

            Laura

  42. Riccardo
    julio 15, 2021 at 4:04 pm #

    I have version 3.9.2 on a website. If I try to load patched version 3.9.4 the process fails telling me that Woocommerce folder already exists. Do I have to delete folder before update?

    • Job
      julio 15, 2021 at 4:25 pm #

      Hi there. That’s correct. Uploading a .zip file to update a plugin that’s already present is a functionality that was added in WordPress 5.5. If you’re using an older version of WordPress, then this will not work.

      You can delete WooCommerce and then upload version 3.9.4. The WooCommerce data and settings are stored in your database and not in the plugin files. That said, it’s always a good idea to first make a backup.

  43. joe
    julio 15, 2021 at 5:54 pm #

    Ever since updating to latest version I’m being plagued by 500 and other errors which take my site offline.
    Not happy.

    • Gareth
      julio 15, 2021 at 6:21 pm #

      I understand your frustration here, Joe. Is it possible for you to roll back to a previous version using a site backup?

      If so, I’d recommend doing so and then first updating to the highest version number in your release branch first before updating to WooCommerce 5.5.1 (for example: If your store is running WooCommerce 4.8, first update to WooCommerce 4.8.1).

      If your site is still down and you’re unable to access your site via the front-end to make changes, here’s how you can access it via FTP:
      https://wordpress.org/support/article/common-wordpress-errors/#the-white-screen-of-death

      Hope this helps!

      • joe
        julio 15, 2021 at 8:26 pm #

        I was already at the highest release, 5.5 I think

        Having to roll back an entire site because of a single plugin is a last resort. It always causes other issues when this step is taken.

        I have 500’s, white screens, and multiple access errors killing my site.

        Practical advice would be appreciated rather than the generic “use a backup”

        • joe
          julio 15, 2021 at 8:55 pm #

          I have noticed memory allocation errors (out of memory) – I have increased the allowance to double what it was previously as a potential quick fix while investigations continue

          I was happily chugging along with PHP Memory Limit set to 128M until this issue with Woo – I have gone up to 256M with Max Execution time upped from 120 to 180

          • Kevin Bates
            julio 16, 2021 at 12:10 am #

            Hi, Joe.

            Sounds like we might need to dig a little deeper into your setup and the best thing would be to open a support ticket.

            https://woo.com/my-account/create-a-ticket/

            Thanks!

          • Alex
            julio 17, 2021 at 9:22 pm #

            what was the solution after woocommerce investigated?

  44. Young
    julio 15, 2021 at 6:48 pm #

    Would it be possible to manually apply the patch? And if yes, would there be a script to follow? The goal is to apply the patch without affecting customized code.

    One site runs WC 3.7.0 with customization code. After updating to 3.7.2, the whole product section broke. So it has to be restored to the vulnerable state.

    Thank you!

    • Kevin Bates
      julio 16, 2021 at 12:07 am #

      Hi, Young.

      We don’t have a manual patch at this time.

      You may need to contact your developer who applied the custom code and have them update for you.

      Also a good idea to have a look at some best practices when adding custom code so not to run into this in the future!

      https://docs.woocommerce.com/document/customizing-woocommerce-best-practices/

      Thanks!

  45. Alvaro
    julio 15, 2021 at 7:13 pm #

    Hello!

    Just uptaded to 4.8.1, but I’ve read you recommend to change passwords… which passwords are you guys talking about? admin passwords? ftp?… all??

    Thanks for the answer!

    • Bill
      julio 15, 2021 at 8:19 pm #

      “which passwords are you guys talking about?”

      Might want to do them all to be safe. I would also extend this to customer passwords as well, particularly if their accounts grant access to saved credit card information. Quite the can of worms which can be particularly damaging for brands.

      • Kevin Bates
        julio 16, 2021 at 12:04 am #

        Thanks for responding, Bill.

        Completely agree that it’s best to be safe and change all passwords for all your stores.

        Thanks!

  46. lcolescommunitycreativecenterorg
    julio 15, 2021 at 7:35 pm #

    The woocommerce 5.5.0 is what we had downloaded and when it updated, now our site has crashed and I can’t access it.

  47. alurewoonaccessoires
    julio 15, 2021 at 8:24 pm #

    Hi,

    My woocommerce has disappeared. I tried to install it again, but the site says it’s not possible to install it because it’s already in a folder. How and where can I find it?
    Please help as my site is down now.

    Renate

    • lindscence
      julio 15, 2021 at 9:40 pm #

      I have the exact same problem. Woocommerce completely dissappeared, cannot be re-installed and I have no idea what to do. Can anyone help us?

      • lindscence
        julio 15, 2021 at 11:51 pm #

        OK, I solved it. In FTP I went to find the woocommerce plugin folder and I renamed it as woocommerce_old, and this allowed me to install the plugin again. I guess you can also just delete the folder as well. But after the fresh install everything loaded back and my website is working normally.

        • Kevin Bates
          julio 16, 2021 at 12:02 am #

          Glad you were able to resolve the issue!

    • Kevin Bates
      julio 16, 2021 at 12:03 am #

      Sorry to hear that!

      If your site is still down and you’re unable to access your site via the front-end to make changes, here’s how you can access it via FTP:

      https://wordpress.org/support/article/common-wordpress-errors/#the-white-screen-of-death

      Hope that helps!

  48. seostar
    julio 15, 2021 at 8:44 pm #

    hi now I just updated from version 4.9.1 to version 4.9.3, is this version safe and ok?

    • Rommel Castro
      julio 15, 2021 at 9:42 pm #

      Hey there – If you’re running 4.9.3, your site is already on the fixed patch – you don’t need to update anything anymore.

  49. psorg28
    julio 15, 2021 at 9:05 pm #

    I’m using WC 2.6.4. I outsourced to build my e-commerce store and several angular based custom templates and few custom plugins are built and functioning on my site.

    Previously, I tested updating WooCommerce in staging, and it messed up all the custom angular templates and plugins. So we can’t update WooCommerce right away.

    May I know like even the WC 2.6.4 has the same vulnerability? And can you provide a patch for that? ’cause it’ll take time for me to update all the templates and custom plugins.

    • Kevin Bates
      julio 15, 2021 at 11:52 pm #

      Hi there,

      This issue only affects WooCommerce versions 3.3 to 5.5 and the WooCommerce Blocks feature plugin versions 2.5 to 5.5.

      That is quite an old version of WooCommerce however, so working with your developer to update would be a good idea!

      Thanks!

  50. lindscence
    julio 15, 2021 at 9:15 pm #

    How long does it take to update? Mine is updating for more than an hour now and nothing is happening. When I open my dashboard in a new page the complete woocommerce plugin is gone. What is happening? Can anyone help me?

    • Kevin Bates
      julio 16, 2021 at 12:01 am #

      How strange!

      The time it takes to update would depend mostly on your hosting provider – the update should be fairly quick.

      If the WooCommerce plugin is still gone, I’d download the newest version and install it again manually.

      Thanks!

  51. Carole
    julio 15, 2021 at 9:42 pm #

    I’m amazed that so many people don’t keep their plugins up-to-date. WordPress Site Health always flags any non-updates as a risk! Don’t people use the Site Health tool?!

    • Flávio
      julio 15, 2021 at 10:29 pm #

      I must believe that the vast majority would be due to the lack of compatibility of the plugins. This is the great difficulty in a system with thousands of roots like this.

  52. karlbastian1
    julio 15, 2021 at 9:45 pm #

    Hi! I have a store that’s running on WordPress version 3.7.2 (before the critical vulnerability was detected). It’s still on version 3.7.2. I tried updating my store to the newest version of WordPress and several things stopped working. My question is, do I even need to update anything? I see that version 3.7.2 is a patched version…

    • Kevin Bates
      julio 15, 2021 at 11:55 pm #

      Hey!

      I assume you mean WooCommerce 3.7.2? 🙂

      If so, yes, that is a patched version and you’re safe from this issue.

      We still recommend staying up to date thought for all the newest features and fixes.

      Thanks!

  53. charlsouma
    julio 15, 2021 at 11:24 pm #

    I have noticed on a new store I setup that when I go to the checkout for a payment a pop up page loads before the checkout, and the url does not change, the popup asks for credit card details. I entered in garbage and hit submit, and the page disappears and the checkout is then left empty. The form which loads is the following html:

    Is this related? I haven’t seen this pop up before, on a similar store. I updated WooCommerce to 5.5.1 but the same pop up is still appearing. I came here to open a ticket but I can’t possibly because I haven’t setup my account correctly.

    • Kevin Bates
      julio 15, 2021 at 11:57 pm #

      Hello,

      That doesn’t sound related to this issue.

      Best thing is to submit a support ticket – have you created an account on WooCommerce.com? That’s the best way to get in touch so we can help you work through the issue.

      Thanks!

  54. Sangie
    julio 16, 2021 at 1:26 am #

    Thank you so much for handling this so fast! I’m so glad you are using something like HackerOne so that the good guys can find these vulnerabilities before the bad guys do. I’ve upgraded the sites with the error. Thank you so much!

    • Laura Nelson
      julio 16, 2021 at 11:23 am #

      Hi Sangie,

      Thank you for the kind feedback – I’ll share this with the team!

      Laura

  55. reachdigitalaus
    julio 16, 2021 at 4:43 am #

    Hi

    Im running 4.5.3 , listed in the pacthed versions. Sites are a bit older so hesiatt to update.

    4.5.3 is safe to stay on?

    Thank you

  56. Ray Daley
    julio 16, 2021 at 11:16 am #

    My site automatically updated to WooCommerce 5.5.1, but it’s been affected site speed dramatically…to the point where I’m getting time out errors whilst trying to do simple things like edit a product. I created a duplicate copy of my site on my server…deactivated all the plugins and changed to Storefront theme. The problem persisted. Rolled back to 5.5.0…still have the problem, but roll back to 5.4.2 and all is good….. has a security patch been put in place for 5.4.2 for me to use it ???

    • Laura Nelson
      julio 16, 2021 at 1:00 pm #

      Hi Ray,

      Thanks for letting us know about the rapid decline in your site speed – the team is currently working on a fix for this.

      In the meantime, you’re correct to be using 5.4.2 – a security patch has indeed been put in place for this version.

      Thanks,

      Laura

      • Chad
        julio 16, 2021 at 1:13 pm #

        Thanks for the clarification Laura, will try to roll back

    • Chad
      julio 16, 2021 at 1:01 pm #

      I’m having the same issue, server load is extremely high due not to traffic on the site but due to backend processes, ie looking up orders, shipping orders, adding product etc. Also am wondering if OK’d to roll back WooCommerce to older version.

      • Laura Nelson
        julio 16, 2021 at 1:14 pm #

        Hi Chad,

        We’re sorry to hear that – the team is working on a fix for this.

        In the meantime, you can roll back to version 5.4.2 which contains the security patch.

        Thanks,

        Laura

      • Ray Daley
        julio 17, 2021 at 12:52 am #

        Same problem as me Chad. I am rolling back to 5.4.2 which appears to fix the problem.

        • Chad
          julio 17, 2021 at 1:07 am #

          Hi Ray, yes we rolled back to 5.4.2 based on your suggestion and it appears to be holding. Went light on processes today but didn’t see any spikes like the previous day.

  57. Cody
    julio 16, 2021 at 12:11 pm #

    I am using version 3.4.8 and as far as I see from the table of Patched WooCommerce versions, the 3.4.8 is listed.

    Does it mean that I don’t need to do anything?

    • Laura Nelson
      julio 16, 2021 at 1:03 pm #

      Hi Cody,

      3.4.8 is indeed a version containing the security patch, so no further updates are required right now.

      That being said, 3.4.8 is a very old version of WooCommerce, and we do recommend working towards updating to the latest version. More information on how to do this safely can be found here: https://docs.woocommerce.com/document/how-to-update-woocommerce/

      Thanks,

      Laura

  58. Dexter Morgen
    julio 16, 2021 at 12:37 pm #

    Thanks for letting us know about this vulnerability,

    For now, we are working to upgrade our Development website and try to fix the issue if there are any.

    So, if we could update the Woocomerce on our Live website by Monday then is it safe for our site?

    Or we can temp down our store for two days?

    What do you guys suggest?

    Thanks

    • Laura Nelson
      julio 16, 2021 at 1:08 pm #

      Hi Dexter,

      We’re strongly recommending that you update your website immediately if it isn’t already using a patched version.

      The team has released security patches for WooCommerce versions 3.3 – 5.5, and so at the moment, you just need to ensure that you’re running on the latest version for your release branch.

      Thanks,

      Laura

  59. Stephen
    julio 16, 2021 at 2:28 pm #

    Did my site affected if I did not utilize WooCommerce webhook search function?

    Thanks.

    • Gareth
      julio 16, 2021 at 3:00 pm #

      Hi Stephen,

      If you have WooCommerce 3.3 or later installed on your site, then the vulnerability exists in WooCommerce and you’ll need to update.

  60. Tamas
    julio 16, 2021 at 2:42 pm #

    Hi,

    “We will be sharing more information with site owners on how to investigate this security vulnerability on their site”
    When will you announce this?
    I am about to add new products to my shop and I don’t want to do it twice if a big recovery is actually needed.
    Thanks!

    • Laura Nelson
      julio 22, 2021 at 12:16 pm #

      Hi Tamas,

      Our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

  61. peter
    julio 16, 2021 at 4:29 pm #

    i updated to Version 5.0.1. is this version have the patch so i don’t have to update any further??

    • Gareth
      julio 16, 2021 at 4:41 pm #

      Hi, Peter – yes, WooCommerce 5.0.1 has the patch.

  62. Clive
    julio 16, 2021 at 4:57 pm #

    As WordFence and Sucuri both block generically against SQL injection attacks, would either have protected a site?

    • Laura Nelson
      julio 16, 2021 at 6:28 pm #

      Hi Clive,

      The investigation of this issue is still ongoing, and we do not have this information yet. It’s therefore imperative that you update your website to one of the patched versions listed in the post above (if you have not already done so).

      Thanks,

      Laura

  63. one pound sweets
    julio 16, 2021 at 5:00 pm #

    every time there is an update 24 hours another update comes out to fix dozens of issues

    but this is crazy!

  64. interpatrimonio
    julio 16, 2021 at 8:44 pm #

    After the upgrade to 5.5.1 follows the problem, I don’t see the products. What can you do?

    • Laura Nelson
      julio 17, 2021 at 2:24 pm #

      Hi there,

      We’re really sorry to hear that!

      Please get in touch with our team of Happiness Engineers directly: https://woo.com/my-account/create-a-ticket/

      They will be able to assist with this issue.

      Thanks,

      Laura

  65. tbaytkadmin1
    julio 17, 2021 at 12:01 am #

    This destroyed my server. My host and I have been troubleshooting for over 24 hours. This turfed my server so bad that I can’t even restore from backup. If I find a way to restore my backup, I’ll be staying on the vulnerable edition and blocking the vulnerability with my WAF.

    I’m a reseller host, and my host is on google. My support department is working with my hosts support department who are working together with google support. This update for the critical vulnerability unleashes several hard to stop processes that just hang the server.

    • ElZeddo
      julio 18, 2021 at 10:58 am #

      Do you have any info yet on how we can safely block this vulnerability via WAF?

  66. Naveed
    julio 17, 2021 at 12:42 pm #

    Hi

  67. Naveed
    julio 17, 2021 at 12:44 pm #

    I have woocommerce 5.4.1 install… I update it multiple time but everytime it creates issue and slow down my side…

    • Laura Nelson
      julio 17, 2021 at 2:30 pm #

      Hi Naveed,

      Which version are you trying to upgrade to?

      We’re aware of an issue in 5.5.1 which is causing some sites to slow down. The team is actively working on this, and in the meantime are recommending updating to 5.4.2 instead.

      As 5.4.1 does not contain the security patch, it’s really important that you update it to one of the patched versions listed above.

      If you continue to experience issues with updating, please contact our support team directly: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  68. Chas
    julio 17, 2021 at 6:16 pm #

    I’ve been informed by one of clients that their “Orders” section is painfully slow. We have gone in to look. everything else works fine. Loading an order takes a long time.

    • Laura Nelson
      julio 19, 2021 at 10:37 am #

      Hi Chas,

      Thanks for letting us know, and we’re sorry to hear that’s happening!

      If you’re using WooCommerce 5.5.1, there is a known issue that is causing some sites to slow down. The team is actively working on a fix now, but in the meantime rolling back to version 5.4.2 would resolve the issue.

      If this is occurring with a different version of WooCommerce, please contact our team of Happiness Engineers directly so that they can investigate: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  69. Jarrod
    julio 18, 2021 at 3:21 am #

    We updated as soon as we got the email and have been experiecing issues since.
    When trying to process orders it just spins until we get a 504 Timeout error although it does normally update the order this is very time consuming. this also happens in other areas of the backend on the website.
    Is there a suggested solution for this?
    We currently have Developer Support looking into this and our Hosting provider also.
    Thank You for your help
    Jarrod

    • Christos Chatzaras
      julio 18, 2021 at 2:01 pm #

      Maybe you hit this bug: https://github.com/woocommerce/woocommerce-admin/issues/7358

    • Laura Nelson
      julio 19, 2021 at 10:41 am #

      Hi Jarrod,

      We’re sorry to hear that’s happening!

      If you’re using WooCommerce version 5.5.1, there is a known issue that is slowing some stores down. The team is working on a fix for this right now, and the recommended solution, for the time being, is to roll back to version 5.4.2.

      If this issue is occurring on any other version of WooCommerce, please contact our team of Happiness Engineers who’ll be able to investigate for you: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

      • Janet
        julio 19, 2021 at 5:14 pm #

        My products sell out, but product quantities not changing to zero – I went in and manually changed to zero and an hour later, someone bought one of the sold out products!! I’m monitoring and last few sold out have worked properly so perhaps coincidental?? Please advise if I need to do something.

        • Laura Nelson
          julio 20, 2021 at 2:53 pm #

          Hi Janet,

          How strange! This doesn’t sound like it’s connected to this issue, but I’d recommend getting in touch with our team of Happiness Engineers anyway: https://woo.com/my-account/create-a-ticket/

          They’ll be able to take a closer look and provide some advice.

          Thanks,

          Laura

  70. fwolf
    julio 19, 2021 at 8:21 am #

    What _I_ need to know is if this only affects WooCommerce installations WITH Gutenberg. Cause ClassicPress obviously aint got that 🙂

    So a proper link to the bug report inside the article would be nice, instead of a rather bothersome “just update, you dont understand anything anyway”.

    cu, w0lf.

    • Laura Nelson
      julio 19, 2021 at 11:02 am #

      Hi there,

      This affects WooCommerce versions 3.3 – 5.5, regardless of whether you’re using Gutenberg or Classic Press. It’s therefore really important that you upgrade to the patched version in your release branch.

      The team is still investigating this issue and we will release more details as soon as we’re able to do so.

      Laura

  71. Mike Webb
    julio 19, 2021 at 10:07 am #

    My site now reports the dreaded 500 error and I am looking to rolling any changes back

    Could you confirm if there was there a forced update and at what date/time and was it to a file within the woocommmerce folder(s) or was it a database update.

    Thanks
    Mike Webb

    • Laura Nelson
      julio 19, 2021 at 12:54 pm #

      Hi Mike,

      On July 14, WordPress.org rolled out an automatic security update to websites running versions of WooCommerce that had been identified as being affected by a critical vulnerability. I’m afraid we’re unable to identify the exact time this happened, but you can check whether you’re running a patched version of WooCommerce using the table in the blog post.

      If you are manually re-installing the WooCommerce and/or WooCommerce blocks plugins, we do recommend that you install the latest version within the release branch you had on your site prior to the update. So for instance, if you had WooCommerce 5.4.1, then you would want to install 5.4.2. You can find all the relevant versions in the table listed in the above post.

      If you continue to experience problems, please do reach out to our team of Happiness Engineers who will be able to assist you: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  72. Stumac
    julio 19, 2021 at 4:18 pm #

    Hi

    I have a client with a mothballed Woocommerce site version 3.0.7 which is currently activated but not used ie used for historical reference only and as such there requiredmentt for an updated version at this stage.

    Understand deactivating reduces the risk but the leading question is:

    Is this version vulnerable?

    Thanks
    Stuart

    • stumac
      julio 19, 2021 at 4:23 pm #

      Apologies!

      and as such there requiredmentt for an updated version at this stage.

      should read:

      and as such there is no requirement for an updated version at this stage.

      • Laura Nelson
        julio 19, 2021 at 4:44 pm #

        Hi Stumac,

        WooCommerce 3.0.7 is not one of the affected versions, so no action is required here.

        Thanks,

        Laura

  73. mario
    julio 19, 2021 at 5:06 pm #

    We received this SQL query, does it have something to do with the vulnerability?

    SELECT COUNT( DISTINCT posts.ID ) as term_count, terms.term_id as term_count_id
    FROM wp_posts AS posts
    INNER JOIN wp_term_relationships AS term_relationships ON posts.ID = term_relationships.object_id
    INNER JOIN wp_term_taxonomy AS term_taxonomy USING( term_taxonomy_id )
    INNER JOIN wp_terms AS terms USING( term_id )
    WHERE posts.ID IN ( SELECT wp_posts.ID FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘product’ AND ((wp_posts.post_status = ‘publish’)) ORDER BY wp_posts.post_date DESC, wp_posts.ID DESC )
    AND term_taxonomy.taxonomy IN (“abc”) or if(1=length(version()),1,sleep(5))#”)
    GROUP BY terms.term_id

  74. Kelli
    julio 19, 2021 at 6:24 pm #

    Is there any more information available regarding this vulnerability? We’re up to date with updates and have reset passwords as a precaution, but I’m wondering if there are clear signs we should be on the lookout for which might indicate an actual security breach on the local level?

    When can we expect WC to issue updated information?

    • Laura Nelson
      julio 22, 2021 at 12:18 pm #

      Hi Kelli,

      Our original post, above, has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

  75. Mike Webb
    julio 20, 2021 at 11:09 am #

    Since last week and the WooCommerce update, I have now upgraded WordPress to 5.7.2 and PHP to 7.4 and my site is fine as long as I don’t activate the WooCommerce plugin.

    I am running Woocommerce 3.6.5 and have also tried upgrading to 3.6.6 but am getting message “Server Error 500 – Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.”

    Are you able to assist, can I get more info on this problems

    thanks

    Mike Webb

    • Laura
      julio 20, 2021 at 12:37 pm #

      Hi Mike,

      It sounds like we might need to dig a little deeper into your setup and the best thing would be to open a support ticket.

      You can do this via this link: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  76. samuelmn86gmailcom
    julio 20, 2021 at 2:18 pm #

    HOLA,

    EN MI WEB SALEN DOS FALLOS CRITICOS DE SALUD DESPUES DE VUESTRA VULNERABILIDAD E INTENTADO ABRIR UN TICKET EN SOPORTE PERO NO ME DEJA.

    SI DESACTIVO VUESTRO PLUGIN EL ERROR SE CORRIGE.

    1 / SE HA DETECTADO UNA SESION PHP ABIERTA.

    Se ha creado una sesión PHP por la llamada a la función session_start(). Esto interfiere con la API REST y las solicitudes de retorno. La sesión debería ser cerrada por session_write_close() antes de hacer cualquier solicitud HTTP.

    2 / LA API REST HA ENCONTRADO UN ERROR

    La API REST es una forma en que WordPress y otras aplicaciones se comunican con el servidor. Un ejemplo es la pantalla del editor de bloques, que se basa en esto para mostrar y guardar tus publicaciones y páginas.

    Ha fallado la solicitud a la API REST debido a un error.
    Error: cURL error 28: Operation timed out after 10000 milliseconds with 0 bytes received (http_request_failed)

    ALGUNA SOLUCIÓN?

    MUCHAS GRACIAS.

    • Laura Nelson
      julio 20, 2021 at 4:40 pm #

      Hello,

      Thanks for reaching out, and I’m sorry to hear you’re experiencing issues!

      On the surface, these issues do not look like they’re related to the vulnerability issue detailed in this post. Have you been able to update to the latest version of WooCommerce in your release branch, despite these errors?

      If you’re unable to open a support ticket, the best place to report this issue and seek assistance would be the WooCommerce Support Forum: https://wordpress.org/support/plugin/woocommerce/

      Thanks,

      Laura

  77. Mike Webb
    julio 20, 2021 at 4:02 pm #

    Laura

    Thanks for your assistance so far. I have now been able to activate WooCommerce Version 3.6.5 but am unable to update it to the require version, 3.6.6.

    This may be due to my web host, are you able to email me a zipped version of V3.6.6 as I can no longer download it from your site?

    Thanks

    Mike Webb

    • Laura Nelson
      julio 20, 2021 at 4:43 pm #

      Hi Mike,

      You’re welcome!

      A zipped version of WooCommerce 3.6.6 is available via this link: https://developer.woocommerce.com/releases/

      If you’re having issues downloading this or updating further, please do seek assistance from our dedicated support team: https://woo.com/my-account/create-a-ticket/

      They’ll be in the best position to support you with this issue.

      Thanks,

      Laura

      • Mike Webb
        julio 20, 2021 at 4:53 pm #

        Laura

        To manually install the plug-in, can I just simply empty my existing woocommerce folder and replace with the contents of this zip file? Will it keep all my settings and products and orders?

        Mike

        • Laura Nelson
          julio 21, 2021 at 12:48 pm #

          Hi Mike,

          Uploading a .zip file to update a plugin that’s already present is a functionality that was added in WordPress 5.5, so for older versions, you’ll need to do the following:

          You can delete WooCommerce and then upload version 3.6.5. The WooCommerce data and settings are stored in your database and not in the plugin files, so your settings, products, and orders should all stay in place. That said, it’s always a good idea to first make a backup.

          Thanks,

          Laura

  78. Matt
    julio 21, 2021 at 9:33 am #

    Thank you for warning and patching so quickly. After Upgrading to 5.1.1, the warning message remains. Is that intended?

    • Laura Nelson
      julio 21, 2021 at 12:07 pm #

      Hi Matt,

      Thanks for letting us know – I don’t believe that is intended. I’ve passed this on to the team!

      Cheers,

      Laura

    • Laura Nelson
      julio 21, 2021 at 12:25 pm #

      Hi again Matt,

      I’ve just checked with the team, and they mentioned that you could still be seeing this message because you have an unpatched version of WooCommerce Blocks installed.

      Would you be able to check whether you’re also running this plugin, and if so, ensure that it’s updated to use one of the versions of WooCommerce Blocks listed in the table above, please?

      Thanks,

      Laura

  79. Greg Eden
    julio 21, 2021 at 10:44 am #

    Can someone let me know if this “vulnerability” is related to the huge numbers of fake orders we have had over the past few days?

    Is that what the issue was causing?

    We have updated to the latest versions of WordPress and Woo-Commerce but the problem has persisted.

    We have taken the general anti-spam precautions in settings, have Capthcha installed and Wordfence – but we are still having this problem – always with Handepay orders.

    Can anyone advise?

    Many thanks

    Greg Eden (JPC Direct)

    • Laura Nelson
      julio 21, 2021 at 12:23 pm #

      Hi Greg,

      I’m so sorry to hear you’re experiencing a high volume of fake orders – that must be really frustrating.

      On the surface, it doesn’t sound like this would be related to the vulnerability issue, but I’d recommend getting in touch with our support team so that they can take a closer look: https://woo.com/my-account/create-a-ticket/

      If the common theme is Handepay orders, it would also be worth reaching out to Handepay directly to see if they have any insight on this.

      Thanks,

      Laura

    • Nick Allen
      julio 27, 2021 at 12:41 am #

      I am also experiencing many fake orders since the patch – any ideas? Nick

  80. Amir
    julio 21, 2021 at 3:11 pm #

    Hi,
    I am running Woocommerce plugin version 5.4.2 and Woocommerce Blocks version 5.3.2

    Can I use the manual update for both and update them directly to version 5.5.1 for both plugins without being in the riskzone?

    Regards
    Amir

    • Laura Nelson
      julio 21, 2021 at 3:59 pm #

      Hi Amir,

      WooCommerce 5.4.2 and WooCommerce Blocks 5.3.2 are both updated versions that contain the security patch, so you’re already covered 🙂

      If you’d like to upgrade to version 5.5.1 anyway, we’d recommend following the instructions on this page: https://docs.woocommerce.com/document/how-to-update-woocommerce/ to make sure you don’t run into any issues while doing so.

      Cheers,

      Laura

      • Gizo
        julio 25, 2021 at 2:51 pm #

        One question please, i update woocommerce 5.5.2 now not working wishlist page i have YITH plugin for wihlist, and im interesting too it is important? That i immediately change payment method s API KAYS?

  81. Gizo
    julio 25, 2021 at 1:57 pm #

    Please tell me , is this important that upgrade my payment plugins api kays? My website not broken and good working now, i update woocommerce 5.5.2 version

    • Laura
      julio 26, 2021 at 3:04 pm #

      Hi Gizo,

      We do recommend changing any private or secret data stored in your WordPress/WooCommerce database – this may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration.

      More information about this can be found in the blog post above.

      Thanks,

      Laura

  82. Nenad
    julio 26, 2021 at 7:39 pm #

    Hi. My site are up to date, however yesterday in the access logs I notice the first ip you are mention here in this article – 137.116.119.175

    137.116.119.175 ***************.com – [25/Jul/2021:10:36:56 +0000] “GET / HTTP/1.1” 200 88 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36” | – | – – 0.001 – 0 NC:000000 UP:-

    So now I wonder, if this was fix, how is possible the address still to be in access logs and do we need to do something? Block the ip maybe?

    • Laura Nelson
      julio 27, 2021 at 1:08 pm #

      Hi Nenad,

      If your website is using the most recent version of WooCommerce or one of the patched versions listed above, then no data would’ve been leaked because of this vulnerability – even if there are requests from malicious IPs.

      The patch rolled out by us does not block the IP, but fixes the underlying vulnerability.

      For peace of mind, you can block all of the IPs in the list above.

      Thanks,

      Laura

      • Nenad
        julio 27, 2021 at 3:09 pm #

        Thank for your kind replay

  83. vasuki4769
    julio 28, 2021 at 5:46 am #

    Hi,
    Please tell me , is this important that upgrade because Our site WordPress version is 5.4. I have used Woocommerce plugin that version is 3.9.0. I have tried to upgrade woocommerce version but wordpress version is not supported. so i need to upgrade wordpress version. but dont want to upgrade wordpress version and i want to upgrade woocommerce version only. if there are any other option without upgrading the wordpress version then Please help me.

    • Laura Nelson
      julio 29, 2021 at 5:38 pm #

      Hello!

      Yes, it is very important that you update WooCommerce to a patched version as soon as possible.

      Patches have been released for versions 3.3 – 5.5, so instead of going straight from 3.9.0 to 5.5.2, you can upgrade to 3.9.4. This would eliminate the need to upgrade your WordPress version. If you’re still having difficulties, you can manually download the zip file for this version here: https://developer.woocommerce.com/releases/

      That being said, if you are using WordPress 5.4.0, this is an insecure version of WordPress, and at a minimum, should be updated to version 5.4.2. More details here: https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

      Thanks,

      Laura

  84. Jaina Sunny
    julio 30, 2021 at 2:34 pm #

    i am running woocommerce version 3.2.1 and wordpress version 4.7.21.to which woocommerce version should i update?

    • Jaina Sunny
      julio 31, 2021 at 10:08 am #

      i am running woocommerce version 3.1.2 and wordpress version 4.7.21.to which woocommerce version should i update? i had updated to woocommerce 3.3.6.Is that okay?

      • Laura Nelson
        agosto 3, 2021 at 12:32 pm #

        Hi Jaina,

        WooCommerce 3.1.2 was not an affected version, and 3.3.6 is a patched version, so either is safe to continue using.

        That being said, both are very old versions of WooCommerce, and we do recommend working towards updating to the latest version. More information on how to do this safely can be found here: https://docs.woocommerce.com/document/how-to-update-woocommerce/.

        Thanks,

        Laura

  85. vasuki4769
    julio 30, 2021 at 3:03 pm #

    Hi Laura Nelson,

    Thank you for your response. Sure I will try it.

    • Judy Wolinsky
      agosto 2, 2021 at 10:52 pm #

      I posted here earlier but I do not see it. I am running the most recent version of wordpress and woocommerce. My website is shutting down, coming back up repeatedly. Can you please advise us what to do to fix this issue? Thanks

      • Laura Nelson
        agosto 3, 2021 at 12:33 pm #

        Hi Judy,

        If you’re experiencing issues with WooCommerce 5.5.2, the best place to seek help would be with our support team.

        Please raise a ticket with them via this link: https://woo.com/my-account/create-a-ticket/

        Thanks,

        Laura

  86. Ollie
    agosto 3, 2021 at 1:50 pm #

    It’s been sometime now since this issue was discovered. Do we have any update on which sites were compromised and if so what data etc?

    Many thanks

  87. Tinku Tharasing
    agosto 3, 2021 at 6:19 pm #

    Anybody experienced product checkout process issues? We are having issue with product total. Subtotal seems ok but total will be zero. Also its not updating customer shipping info in order details.

    Tried different them, removing WooCommerce tables and installing plugin again etc. nothing seems to work

  88. Gregorio
    agosto 4, 2021 at 4:50 pm #

    A new administrator account has been created on one of the domains on which woocommerce is installed. A new file was also automatically created each time it was deleted. I send the content of the file in pastebin – pastebin[dot]pl/view/c22ec65a. Disabling woocommerce stopped the automatic creation of the unwanted file

  89. Ridhwan
    agosto 5, 2021 at 10:35 am #

    Hello – I am on 4.8.0 – this would be the latest patched version for my ‘branch” – correct? Do I still need to update to 5.5.1? I am worry about that, It had be create problem for our website if we update! please guide me! Thanks.

    • Laura Nelson
      agosto 5, 2021 at 12:03 pm #

      Hi Ridhwan,

      4.8.0 is not an updated version of WooCommerce, so you will need to upgrade to a patched version ASAP.

      You don’t need to jump straight to 5.5.1, there’s a patched version in your release branch (4.8.1) that you can update to instead.

      A full list of patched versions has been included in the blog post above, please make sure you update to one of those as soon as you can.

      Thanks,

      Laura

  90. SUPERMAN
    agosto 7, 2021 at 2:35 am #

    For the love of Gooooooood, i was criptonited XD my website broken, and now more with my ex girlfriend, a perfect day. now i cant update, and 500 internal server error, dude i need a miracle, im done for a few hours, something its in my db, i cant log, phpmyadmin do not log, deleting the plugin woocomerce i could login in my wp-admin again, but now broken again, my ex girlfriend not calling me too, wth, i need a rest.. zzzzzzz i back in 12h , plz fix this awesome tool, we need a solution

    • Laura Nelson
      agosto 9, 2021 at 12:08 pm #

      Hi there,

      We’re really sorry to hear this!

      If you’re still experiencing problems, I’m sure our support team will be able to help you figure out what’s going on. You can raise a ticket via this link: https://woo.com/my-account/create-a-ticket/

      It may also be worth contacting your hosting provider’s support as well just in case the issue is on their end.

      Thanks,

      Laura

  91. Adrián
    agosto 7, 2021 at 11:26 am #

    gracias a todos por notificar.

  92. Joan
    agosto 13, 2021 at 8:02 am #

    We have been locked out of out of our site. No matter what time of day we try to sign out we get a notice saving there has been too many attempts to log on. Can some please help us. this has been since the updates.

    • Laura Nelson
      agosto 16, 2021 at 1:03 pm #

      Hi Joan,

      I’m really sorry to hear you’re experiencing issues with logging in!

      To get help with this, please contact our support team directly via this link: https://woo.com/my-account/create-a-ticket/

      Thanks,

      Laura

  93. WhatAmIMissing
    agosto 13, 2021 at 5:28 pm #

    I am on 3.5.9 and can’t upgrade. No problem, just download the patched version of 3.5.9 and manually update, right?

    I unzipped the patched version and did a unix diff -qr against what I already have in my plugin/woocommerce dir. The only difference found is three image files:(new in the patch)
    woocommerce/assets/images/eway-logo.jpg
    woocommerce/assets/images/storefront-bg.jpg
    woocommerce/assets/images/wcs-canada-post-logo.jpg

    So there’s no code difference in the patch vs what I have? Do I need to copy those image over to my production area? THANKS!

    • Laura Nelson
      agosto 16, 2021 at 1:01 pm #

      Hi there,

      WooCommerce 3.5.9 is already a patched version, so there’s no need to manually update! If you didn’t manually update to 3.5.9 yourself, it’s likely your website was included in the automatic security update we rolled out last month.

      Thanks,

      Laura