Last Updated: July 23, 2021
On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.
Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.
I have a WooCommerce store – what actions should I take?
↑ Torna in cimaAutomatic software updates to WooCommerce 5.5.1 began rolling out on July 14, 2021, to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.2* or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1 of that plugin.
Important: With the release of WooCommerce 5.5.2 on July 23, 2021, the auto-update process mentioned above has been discontinued.
After updating to a patched version, we also recommend:
- Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites
- Rotating any Payment Gateway and WooCommerce API keys used on your site.
There’s more information about these steps below.
* WooCommerce 5.5.2 was released on July 23, 2021. The fixes contained in this version are unrelated to the recent security vulnerability.
How do I know if my version is up-to-date?
↑ Torna in cimaThe table below contains the full list of patched versions for both WooCommerce and WooCommerce Blocks. If you are running a version of WooCommerce or WooCommerce Blocks that is not on this list, please update immediately to the highest version in your release branch.
Patched WooCommerce versions | Patched WooCommerce Blocks versions |
3.3.6 | 2.5.16 |
3.4.8 | 2.6.2 |
3.5.9 | 2.7.2 |
3.6.6 | 2.8.1 |
3.7.2 | 2.9.1 |
3.8.2 | 3.0.1 |
3.9.4 | 3.1.1 |
4.0.2 | 3.2.1 |
4.1.2 | 3.3.1 |
4.2.3 | 3.4.1 |
4.3.4 | 3.5.1 |
4.4.2 | 3.6.1 |
4.5.3 | 3.7.2 |
4.6.3 | 3.8.1 |
4.7.2 | 3.9.1 |
4.8.1 | 4.0.1 |
4.9.3 | 4.1.1 |
5.0.1 | 4.2.1 |
5.1.1 | 4.3.1 |
5.2.3 | 4.4.3 |
5.3.1 | 4.5.3 |
5.4.2 | 4.6.1 |
5.5.1 | 4.7.1 |
5.5.2 | 4.8.1 |
4.9.2 | |
5.0.1 | |
5.1.1 | |
5.2.1 | |
5.3.2 | |
5.4.1 | |
5.5.1 |
Why didn’t my website get the automatic update?
↑ Torna in cimaYour site may not have automatically updated for a number of reasons, a few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 3.3), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.
In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 5.5.2, 5.4.2, 5.3.1, etc), as listed in the table above.
Has any data been compromised?
↑ Torna in cimaBased on the current available evidence we believe any exploit was limited.
If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
How can I check if my store was exploited?
↑ Torna in cimaDue to the nature of this vulnerability, and the extremely flexible way that WordPress (and thus WooCommerce) allows web requests to be handled, there is no definitive way of confirming an exploit. You may be able to detect some exploit attempts by reviewing your web server’s access logs (or getting help from your web host to do so). Requests in the following formats seen between December 2019 and now likely indicate an attempted exploit:
- REQUEST_URI matching regular expression
/\/wp-json\/wc\/store\/products\/collection-data.*%25252.*/
- REQUEST_URI matching regular expression
/.*\/wc\/store\/products\/collection-data.*%25252.*/
(note that this expression is not efficient/is slow to run in most logging environments) - Any non-GET (POST or PUT) request to
/wp-json/wc/store/products/collection-data
or/?rest_route=/wc/store/products/collection-data
Requests that we have seen exploiting this vulnerability come from the following IP addresses, with over 98% coming from the first in the list. If you see any of these IP addresses in your access logs, you should assume the vulnerability was being exploited:
137.116.119.175
162.158.78.41
103.233.135.21
Which passwords do I need to change?
↑ Torna in cimaIt’s unlikely that your password was compromised as it is hashed.
WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.
This assumes that your site is using the standard WordPress password management for users. Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.
If any of the Administrator users on your site might have reused the same passwords on multiple websites we recommend you update those passwords in case their credentials have been compromised elsewhere.
We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways and more, depending on your particular store configuration.
As an extension developer or service provider, should we alert our WooCommerce merchants?
↑ Torna in cimaIf you work with any live WooCommerce store or merchant, we encourage you to work with them to make sure they know about this issue, and/or update their store to a secure version.
If you have built an extension or offer a SaaS service that relies on the WooCommerce API, we encourage you to help merchants reset the keys to connect to your service.
As a store owner, should I alert my customers?
↑ Torna in cimaWhether you alert your customers is ultimately up to you. Your obligations to notify customers or reset things like passwords will vary depending on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised.
The most important action you can take to protect your customers is to update your version of WooCommerce to a version that has been patched with a fix for this vulnerability.
After updating, we recommend:
- Updating the passwords for any Administrator users on your site, especially if you reuse the same passwords on multiple websites
- Rotating any Payment Gateway and WooCommerce API keys used on your site.
As the store owner it is ultimately your decision whether you want to take additional precautions such as resetting your customers’ passwords. WordPress (and thus WooCommerce) user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach is applied to all user passwords on your site, including your customers’ passwords.
Is WooCommerce still safe to use?
↑ Torna in cimaYes.
Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency.
Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed.
Our continued investment in platform security allows us to prevent the vast majority of issues – but in the rare cases that could potentially impact stores, we strive to fix quickly, communicate proactively, and work collaboratively with the WooCommerce Community.
What if I still have questions?
↑ Torna in cimaIf you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.
About
This vulnerability affected sites without blocks installed? Did you send warnings to all sites affected? (I don’t know if I was, I’ve updated my sites to 5.5.1 manually after reading this post) thanks!!!
Hi, Daniel.
Yes, WooCommerce versions 3.3 to 5.5.
We sent out an email to our mailing list as well.
Thank you for quickly updating!
Ok, if i didn’t receive a personalized mail or automatic update to my site(hosted outside wordpress.com) it means that wasn’t affected in the meantime(1 day) between 5.5 update and 5.5.1 manual update?
Unfortunately your store still may have been vulnerable in that timeframe.
We can only email users who have opted-in to our mailing list, and auto-updates aren’t always possible.
However, now that you have updated, you are running the patched version.
Ok, but you’ll disclose a way to check if the site was attacked?(verifying our logs or any other way?) Do we need to changes admin passwords just in case?
Sorry for asking, but as merchants is very worrying, iv’e updated an hour ago when you published the notice in social media.
Thanks in advance to the woo team!
Out of caution it is a good idea to update your passwords after installing the pached version.
We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.
Thank you!
You mention updating passwords along with updating to the patched version. Can you provide more detail of which passwords? Are you referring to WordPress Admin passwords? Payment processor passwords? Thank you!
My site is currently broken, I tried updating my plugins yesterday. Since then there is a critical error and I am not able to access WordPress, please assist me.
Hi there,
We’re really sorry to hear that!
Please open a ticket with our Support team: https://woocommerce.com/my-account/create-a-ticket/ who’ll be able to help resolve this issue for you.
Thanks,
Laura
So, is it safe with WooCommerce 5.4.1 and without blocks plugin?
My client is worried because we do not know what the vulnerability actually is…
Hi Alex,
If you’re running WooCommerce 5.4.1 you should update to 5.4.2.
We’re still investigating the issue, and will share more information on our blog when we’re able to do so.
Thanks,
Laura
What if the WooCommerce plug in won’t allow you to update, it gives this huge error with pink background. Should I just delete the plugin alltogether?
Hi Anise,
If you’re experiencing issues with updating, please contact our team of Happiness Engineers: https://woocommerce.com/my-account/create-a-ticket/
They’ll be able to assist you with this process.
Thanks,
Laura
If i stay on woo 5.5.1 version it problem and risk with me?
How can I update WooCommerce when I get this warning? No guarantee the site will still work. I’ve been avoiding updates for a while. And now this vulnerability alert from you. What do you suggest I (we) do?
The following active plugin(s) have not declared compatibility with WooCommerce 5.0 yet and should be updated and examined further before you proceed:
Plugin Tested up to WooCommerce version
WooCommerce Table Rate Shipping 4.5
Plug’n Pay Direct Gateway for WooCommerce unknown
As this is a major update, we strongly recommend creating a backup of your site before updating.
Hi Knox,
An updated version of WooCommerce containing the security patch has been made available for each release branch, which should negate the need for a major update at this time.
For example, if you’re using 4.9.2, you can update to the patched version in that branch – 4.9.3 – instead of jumping straight to 5.0.1 or higher.
You can find a list of all patched versions in the table above – if you’re currently running one of these versions, then you do not need to update. If you’re not using a patched version, you can find a direct download for each release branch on this page: https://developer.woocommerce.com/releases/.
You should not update to WooCommerce 5.0 as this is not a secure version.
Thanks,
Laura
Stupid beginners question. What is meant with “blocks”? Is that a separate plugin or included extra plugin? Is it “blocks” the complete name? I am confused.
It’s a separate plugin:
https://wordpress.org/plugins/woo-gutenberg-products-block/
How. I can’t do it.
Do you think WordPress.org will be pushing a forced update to patch this?
I’m currently working through client websites one by one
Hi, John.
Yes!
We provided the patch to WordPress.org and automatic software updates are rolling out now to all stores running impacted versions of each plugin.
However, we’re urging everyone check and manually update if needed just in case.
Recommandez-vous de passer à une autre plate-forme au lieu de WooCommerce car elle est toujours piratée. Il a des trous de sécurité. Et personne du support ne s’en soucie car c’est gratuit.
Unless i’m misunderstanding, I don’t think a forced updated is possible on self-hosted/Wordpress.org sites, right? To be safe I just went all the way up to 5.5.1 on everything I manage, although the new point releases for each branch released today should have the patch, according to this page: https://developer.woocommerce.com/releases/
@Chris, it’s a little known and rarely used capability of the WordPress security team. They pushed a forced update for the loginizer plugin in October of last year and it looks as though they’ll do the same for this one
Automattic security team has the ability to force update on themes and plugins – there is such solution implemented in update system.
It has been already used few times, AFAIR.
Glad it was patched quickly. That’s a lot of versions & a long time for a vulnerability to be out there… Has there been any indication that the vulnerability was being actively exploited?
Sharif,
Our investigation into this vulnerability and whether data has been compromised is ongoing.
Hopefully we’ll know more soon.
Thank you!
Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages. When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.
Is there any information you can share that could help me (or other concerned bystanders) to forensically determine if we were impacted? Maybe some diagnostic error log messages or URL patterns?
Hi there,
The team is still investigating the issue, and will share more details as soon as they’re able to do so.
In the meantime, please ensure that you’re running the latest version of WooCommerce in your release branch and update any admin passwords
Thanks,
Laura
Hi again,
Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this.
Laura
So I am clear – WooCommerce v3.3 to 5.5 are vulnerable to this exploit? 3.3?? Blocks or no blocks?
Yes, that is correct.
Were/Are any third-party plug-ins compromised?
And should we alert our WooCommerce merchants?
Hi, Stef.
From what we know at this time only WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5) are affected.
I’d also suggest notifying your merchants to make sure they’ve updated.
Thank you!
Hi, I have immediately updated after reading your email. But I have woo-commerce 5.4.2 and blocks 5.3.2
It’s enough? Thanks!
Those are both patched versions, so you are safe from this vulnerability. If you are running the Blocks plugin separately, we do suggest you always keep it on the latest version since the only reason to run it separately is to get more recent features. If you don’t need that, then you can just uninstall the separate Blocks plugin, since a stable version is always bundled with WooCommerce Core now.
Hello – We have just updated our site to the latest version in our release branch 3.6.6 (14/07/21). Can you please confirm this release contains the security fix for the vulnerability in this article?
Hi, Josh.
Yes, WooCommerce 3.6.6 contains the security patch.
Thanks!
So, just to be clear, if we are using 5.4.1 and update to 5.4.2 it will be okay?
Or do we need to update to 5.5.1 from that branch?
5.4.2 is fine.
However, if you are using WooCommerce blocks on your site, then you should update to 5.5.1
Hi, I read now and immediately updated but: for me the latest version is 5.4.2 (woo-commerce) and 5.3.2 (blocks)
It’s enough?
Thanks!
Thanks John 🙂
I can’t update. I started to update from my phone, but it fails. Also, tried moving the Autoupdate slider from Off to On, but it keeps sliding back to Off. On the computer I went to my website, but get “Briefly unavailable for scheduled maintenance. Check back in a minute.” 15 minutes now. I filled out a support ticket, but maybe you can let others know what to do in this situation.
Sorry to hear that!
I’m sure our support team will be able to help you figure out what’s going on.
It may also be worth contacting your hosting provider’s support as well just in case the issue is on their end.
Thank you!
If you can FTP into your site, or access the file manager through your host’s control panel, find the file called maintenance.php and delete it. It will be it the main hierarchy of your site, inside the httpdocs directory, or where you find the wp-content, wp-admin, etc. directories. Try updating again after that. If you still can’t update, certainly reach out to Woocommerce or your host, but if it were me, I’d back up the plugin and then reinstall it.
Hope that helps.
Thanks Kevin, I reached out to my support team, but I’m not sure how many hours I will have to wait for them to get this resolved.
Thanks David, before I could track down that php file, the site returned from maintenance mode. However, the WooCommerce plugin had disappeared. I tried to reinstall, but that failed.
Fixed it. I renamed the WC installation and recovered my plugins, including WC, from a backup. I didn’t realize the restore would wipe the directory, so for anyone in my position, move the renamed WC folder outside the plugins folder in case you need it. In my case, the restore worked, and then I updated WC to 5.5.1. Things appear to be working.
Woke up to a similar situation. Website was on maintenance mode (from Plesk), after disabling maintenance mode and login to the WP admin backend I was greeted with errors that Woocommerce was missing. Under plugins, no WC visible. Could not upload the plugin via the backend for a reinstall, some generic error.
Checked via FTP and the WC folder was totally missing from plugins directory. Extracted the latest version and uploaded it manually to this directory. After that everything was fine again. I’ve got auto updates enabled for every plugin, first time it caused havoc to be honest.
Hello – it looks like I am on 3.4.8 – this would be the latest patched version for my ‘branch” – correct? Do I still need to update to 5.5.1? – when I try to, I get a major update warning and it shows the majority of my plugins say that haven’t been tested past version 3.2-4.5 etc ..so am I good to leave it as is? – or do I need to install 5.5.1? Thanks!
This specific vulnerability is patched in that version, yes.
That being said, that is a *very* old version of WooCommerce, so we would strongly suggest that you explore a path to being to update. This is an extreme case where we “backported” a security fix back to many previous versions, but we constantly release improvements to security, performance, and functionality, which normally only ship in the latest version usually (5.5.1 as of right now).
gotcha thank you …should I just go ahead and hope all my plugins will work? The warning is showing the majority of them haven’t been tested yet with that 5.x.x version
Hi Derek,
I wouldn’t personally say to update from 3.4.8 up to 5.5.1 without testing this first say on a staging copy of your current site. If your host doesn’t offer that option, we’d recommend WP Staging for quickly spinning up a new test site.
Lots has changed from WooCommerce 3.4.8, like template files, functions, etc… so the chances are higher you would run into compatibility issues if your other extensions weren’t also updated for WooCommerce 5+ compatibility.
The important thing is that now your store is secure from this known vulnerability and you have the time to plan and test updating to the latest version of WooCommerce. 🙂
Thanks so much Ryan, I will check into the staging and start work on a test sight to see if we can seamlessly upgrade ..Thanks again for the help!
Is this vulnerability related to the unescaped attributes filter and is there any way to audit whether this attack has been performed on your site? Do you suggest any other mitigation other than the update?
blocking access to the API without being authenticated prevents the exploit.
as for IOC’s its a GET request, so there will be logs showing it being exploited in the web server (nginx or apache) logs.
Hi Kaizen,
> Is this vulnerability related to the unescaped attributes filter
We’re currently still investigating the issue, and will share details on our blog when we’re able to do so.
> is there any way to audit whether this attack has been performed on your site?
If your store keeps request logs, you can check this log to find out if anything looks unusual. If you’re not sure if this is possible on your store, you can chat with your hosting company about this.
We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.
> Do you suggest any other mitigation other than the update?
At present, no. We will be contacting store owners directly if any further action is required.
Thanks,
Laura
Hi Kaizen,
Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.
Thanks,
Laura
Upgraded to latest version and cannot get Revenue Analytics to load, causing 502 errors. Any ideas why this would happen?
Hi there,
We’d recommend contacting our Support team directly about this! You can open a ticket here: https://woocommerce.com/my-account/create-a-ticket/
Thanks,
Laura
Same issue, massive 502 issues. After attempting on production site, stupid me.. (always update on a staging site if possible or in maintenance mode with backup) I have copied the site to staging now and still same issue.
We were hacked. What know? We have a back up but a week old!! cause I stoped using the automatic back ups!
That’s rough man… I would suggest a couple of things:
1. Revert your files (**NOT THE DATABASE**) to the backed up version.
2. Update to the latest version in your branch by downloading the .zip here: https://developer.woocommerce.com/releases/
Extract manually via the server to update.
3. Use Wordfence (free version) to scan the site – it’s good at detecting malware and modified files.
3a. IF Wordfence finds some bad files, you’ve got problems – try and scan your logs to see what IP address was accessing them, then search your database to see if there are any matching sessions, and check the user_id (indicating a weak password on a user-account).
3b. Delete the files, and scan again until clean.
For anyone wondering “Is my version patched” — here is the releases page: https://developer.woocommerce.com/releases/
If you’re using the latest of your branch, it’s patched.
Cheers,
C.
Thanks so much for sharing this. We’ve also updated the post with a table of the correct patched versions everyone should be using.
I have my site at 5.4.1 version. Should I upgrade it to 5.5.1 manually ? I am only getting option to update version to 5.4.2 in wordpress updates page.
5.4.2 is the latest release for your branch, update to that and you’re good.
Here is the releases page: https://developer.woocommerce.com/releases/
I have two payments listed on my site which have not come through to my bank acc. Please advise. My plugin was up to date.
Thanks
Hi there,
Please get in touch with our team of Happiness Engineers directly – https://woocommerce.com/my-account/create-a-ticket/
They’ll be able to help investigate the cause of this issue for you.
Laura
I updated WooCommerce through wordpress and all WordPress tables have vanished. My support team are rolling back to yesterday’s database.
@#%#@!
I see you pay $1k for reporting this. Considering how much is at risk you might want to raise the motivation for good hackers to review WC.
Hi
I got your email, thanks for the advice…
I have a few questions…
I had version 5.4.1, wordpress gives me the version 5.4.2 to update (not 5.5.1)
why wordpress won´t mention ver 5.5.1 to me?
what depends on the update process?…
I thought we were always going to the latest version,
(I thought I was up to date with my version until yesterday that I got your email)
why will it be ok to update to 5.4.2 if there is 5.5.1 (even thou is not present in my updates page…)
Thanks in advance
You’re confusing WordPress itself (currently 5.7.2) and Woocommerce (now 5.5.1). Woocommerce is a plugin for WordPress. The issue here has been with Woocommerce, not WordPress itself.
Hi laughthisoff… no no..
I’m referring to woocommerce versions..
In my site I have version 5.4.1, AND wordpress gives me as a choice the version 5.4.2 of woocommerce to update
But Woocommerce was saying to update to version 5.5.1 WICH WordPress in not giving me as update possibility
I am not confused with or about wordpress (I have 5.7.2 for wordpress, but it has nothing to do with my questions)
Cheers
Hi Iki,
WooCommerce 5.4.2 is the correct version to update to based on your release branch, and contains the security patch.
If you’d like to update to 5.5.1, you should see the option to do so once you’ve updated to 5.4.2.
If you experience any issues with this, feel free to contact one of our Happiness Engineers here: https://woocommerce.com/my-account/create-a-ticket/
Thanks,
Laura
Is the vulnerability there if Woocommerce or Woocommerce blocks files are present but the plugin is deactivated? We’re a hosting company and we have a bunch of customers who have inactive woocommerce plugins in their codebases. I assume they tried it at one point then changed their minds or something…
are those deactivated plugin files safe or do they also need to be updated?
Thank you for all your hard work!
Hi Damien,
Deactivated plugin files are safe, but we do still recommend updating to the latest version in case any of your customers decide to reactivate them again in the future.
Thanks,
Laura
Hi!
I have an auto-update feature on for all my plugins and when I got the email notif earlier, I checked the plugin and it has been automatically updated to version 5.5.1. I’m not sure how instant the auto-update feature on wordpress is but should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?
Thanks!
Hi Jon,
> I checked the plugin and it has been automatically updated to version 5.5.1
Excellent. Ensuring that you’re running the latest version of WooCommerce available is the recommended course of action right now.
> should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?
We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.
Thanks,
Laura
Hi Jon,
Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.
Thanks,
Laura
From 5.0.0 to 5.0.1 is safe? Thanks
Hi Fabio,
Yes, WooCommerce 5.0.1 contains the security patch.
Thanks,
Laura
Thanks your email, may i know about that vulnerability ? what is that exactly ? how its affect my Ecommerce site ?
Hi Haja,
Our investigation into this vulnerability is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
In the meantime, please ensure you’re running the latest versions of WooCommerce and WooCommerce Blocks, as they contain the security patch.
Thanks,
Laura
Hi Haja,
Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.
Thanks,
Laura
We have lot’s of customization and combined with other plugins, so it’s hard to update the version soon, so can you provide targeted patch or info about vulnerability , so we can apply some fix without update full
Hi Suneth,
Updating to the latest branch version should avoid this problem. For example, if you’re running 5.4.1, updating to 5.4.2). This shouldn’t conflict with any customizations unless you’ve made them inside the WooCommerce plugin (which we strongly recommend against doing).
I hope that helps,
Laura
The problem is I’m using Version 3.6.6 🙂 and it cannot update to latest version directly
Hi Suneth,
Just confirming for you, WooCommerce 3.6.6 is a patched version that includes the security fix for this vulnerability discovered.
If you’re using 3.6.6 your site is secure from this vulnerability. 🙂
Morning,
After reading your email I upgraded to version 5.4.2.
As soon as I updated I was given the option to upgrade to 5.5.1 and I upgraded to this version.
Is the site now secure?
Hi Mauro,
Yes, both versions 5.4.2 and 5.5.1 contain the security patch, so you’re safe to use either of those.
Laura
Hi, thanks for the notification and the update.
Can this vulnerability be exploited also when the WooCommerce plugin is disabled? (i.e. not Active in WordPress). I can see my WooCommerce has been updated, but I’m not currently using it yet, so it is disabled…
Hi Marco,
Deactivated plugin files are safe, but we do still recommend ensuring WooCommerce has been updated to a patched version in case you decide to reactivate it in the future.
Thanks,
Laura
Hello,
I am using WooCommerce on few of my old websites (In both WordPress network and single website wordpress). Current version is 3.8.2 in all websites.
I saw that Kevin Bates said that version 3.6.6 contains security patch. Does this mean that 3.8.2 is safe, too?
Hi Milos,
Yes, WooCommerce 3.8.2 contains the security patch.
Cheers,
Laura
Hello,
i have updated my shops to 5.5.1.I dont use wp blocks and haven´t installed it as a plugin. But in Woocommerce Status it says: WooCommerce Blocks-Paket: 5.3.2
Is that normal. Or must i do something. Thanx in advance.
Hey,
is there a list of all patched version available?
If not, are 5.2.2 and 5.3.1 patched versions?
Thanks & best regards,