Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know

Last Updated: July 23, 2021

On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.

Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.

I have a WooCommerce store – what actions should I take?

↑ Back to top

Automatic software updates to WooCommerce 5.5.1 began rolling out on July 14, 2021, to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.2* or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1 of that plugin.

Important: With the release of WooCommerce 5.5.2 on July 23, 2021, the auto-update process mentioned above has been discontinued.

After updating to a patched version, we also recommend:

  • Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

There’s more information about these steps below.

* WooCommerce 5.5.2 was released on July 23, 2021. The fixes contained in this version are unrelated to the recent security vulnerability.

How do I know if my version is up-to-date?

↑ Back to top

The table below contains the full list of patched versions for both WooCommerce and WooCommerce Blocks. If you are running a version of WooCommerce or WooCommerce Blocks that is not on this list, please update immediately to the highest version in your release branch.

Patched WooCommerce versionsPatched WooCommerce Blocks versions
3.3.62.5.16
3.4.82.6.2
3.5.92.7.2
3.6.62.8.1
3.7.22.9.1
3.8.23.0.1
3.9.43.1.1
4.0.23.2.1
4.1.23.3.1
4.2.33.4.1
4.3.43.5.1
4.4.23.6.1
4.5.33.7.2
4.6.33.8.1
4.7.23.9.1
4.8.14.0.1
4.9.34.1.1
5.0.14.2.1
5.1.14.3.1
5.2.34.4.3
5.3.14.5.3
5.4.24.6.1
5.5.14.7.1
5.5.24.8.1
4.9.2
5.0.1
5.1.1
5.2.1
5.3.2
5.4.1
5.5.1

Why didn’t my website get the automatic update?

↑ Back to top

Your site may not have automatically updated for a number of reasons, a few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 3.3), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 5.5.2, 5.4.2, 5.3.1, etc), as listed in the table above.

Has any data been compromised?

↑ Back to top

Based on the current available evidence we believe any exploit was limited.

If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

How can I check if my store was exploited?

↑ Back to top

Due to the nature of this vulnerability, and the extremely flexible way that WordPress (and thus WooCommerce) allows web requests to be handled, there is no definitive way of confirming an exploit. You may be able to detect some exploit attempts by reviewing your web server’s access logs (or getting help from your web host to do so). Requests in the following formats seen between December 2019 and now likely indicate an attempted exploit:

  • REQUEST_URI matching regular expression /\/wp-json\/wc\/store\/products\/collection-data.*%25252.*/
  • REQUEST_URI matching regular expression /.*\/wc\/store\/products\/collection-data.*%25252.*/ (note that this expression is not efficient/is slow to run in most logging environments)
  • Any non-GET (POST or PUT) request to /wp-json/wc/store/products/collection-data or /?rest_route=/wc/store/products/collection-data

Requests that we have seen exploiting this vulnerability come from the following IP addresses, with over 98% coming from the first in the list. If you see any of these IP addresses in your access logs, you should assume the vulnerability was being exploited:

  • 137.116.119.175
  • 162.158.78.41
  • 103.233.135.21

Which passwords do I need to change?

↑ Back to top

It’s unlikely that your password was compromised as it is hashed

WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.

This assumes that your site is using the standard WordPress password management for users.  Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.

If any of the Administrator users on your site might have reused the same passwords on multiple websites we recommend you update those passwords in case their credentials have been compromised elsewhere. 

We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways and more, depending on your particular store configuration.

As an extension developer or service provider, should we alert our WooCommerce merchants?

↑ Back to top

If you work with any live WooCommerce store or merchant, we encourage you to work with them to make sure they know about this issue, and/or update their store to a secure version.

If you have built an extension or offer a SaaS service that relies on the WooCommerce API, we encourage you to help merchants reset the keys to connect to your service. 

As a store owner, should I alert my customers? 

Whether you alert your customers is ultimately up to you. Your obligations to notify customers or reset things like passwords will vary depending on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised. 

The most important action you can take to protect your customers is to update your version of WooCommerce to a version that has been patched with a fix for this vulnerability. 

After updating, we recommend:

  • Updating the passwords for any Administrator users on your site, especially if you reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

As the store owner it is ultimately your decision whether you want to take additional precautions such as resetting your customers’ passwords. WordPress (and thus WooCommerce) user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach is applied to all user passwords on your site, including your customers’ passwords.

Is WooCommerce still safe to use?

↑ Back to top

Yes.

Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency. 

Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed. 

Our continued investment in platform security allows us to prevent the vast majority of issues – but in the rare cases that could potentially impact stores, we strive to fix quickly, communicate proactively, and work collaboratively with the WooCommerce Community.

What if I still have questions?

↑ Back to top

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

Beau Lebens Avatar

About

268 comments

  1. This vulnerability affected sites without blocks installed? Did you send warnings to all sites affected? (I don’t know if I was, I’ve updated my sites to 5.5.1 manually after reading this post) thanks!!!

    Daniel
    July 15, 2021
    • Hi, Daniel.

      This vulnerability affected sites without blocks installed?

      Yes, WooCommerce versions 3.3 to 5.5.

      Did you send warnings to all sites affected?

      We sent out an email to our mailing list as well.

      I’ve updated my sites to 5.5.1 manually after reading this post) thanks!!!

      Thank you for quickly updating!

      Kevin Bates
      July 15, 2021
      • Ok, if i didn’t receive a personalized mail or automatic update to my site(hosted outside wordpress.com) it means that wasn’t affected in the meantime(1 day) between 5.5 update and 5.5.1 manual update?

        danielspain22
        July 15, 2021
        • Unfortunately your store still may have been vulnerable in that timeframe.

          We can only email users who have opted-in to our mailing list, and auto-updates aren’t always possible.

          However, now that you have updated, you are running the patched version.

          Kevin Bates
          July 15, 2021
          • Ok, but you’ll disclose a way to check if the site was attacked?(verifying our logs or any other way?) Do we need to changes admin passwords just in case?
            Sorry for asking, but as merchants is very worrying, iv’e updated an hour ago when you published the notice in social media.
            Thanks in advance to the woo team!

            danielspain22
            July 15, 2021
          • Out of caution it is a good idea to update your passwords after installing the pached version.

            We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

            Thank you!

            Kevin Bates
            July 15, 2021
          • You mention updating passwords along with updating to the patched version. Can you provide more detail of which passwords? Are you referring to WordPress Admin passwords? Payment processor passwords? Thank you!

            Erin
            July 15, 2021
      • My site is currently broken, I tried updating my plugins yesterday. Since then there is a critical error and I am not able to access WordPress, please assist me.

        huskyoatmealkleopatra83965
        July 15, 2021
      • So, is it safe with WooCommerce 5.4.1 and without blocks plugin?
        My client is worried because we do not know what the vulnerability actually is…

        Alex
        July 15, 2021
        • Hi Alex,

          If you’re running WooCommerce 5.4.1 you should update to 5.4.2.

          We’re still investigating the issue, and will share more information on our blog when we’re able to do so.

          Thanks,

          Laura

          Laura Nelson
          July 15, 2021
      • What if the WooCommerce plug in won’t allow you to update, it gives this huge error with pink background. Should I just delete the plugin alltogether?

        Anise
        July 16, 2021
        • Hi Anise,

          If you’re experiencing issues with updating, please contact our team of Happiness Engineers: https://woocommerce.com/my-account/create-a-ticket/

          They’ll be able to assist you with this process.

          Thanks,

          Laura

          Laura Nelson
          July 17, 2021
          • If i stay on woo 5.5.1 version it problem and risk with me?

            gizo1989
            July 24, 2021
      • How can I update WooCommerce when I get this warning? No guarantee the site will still work. I’ve been avoiding updates for a while. And now this vulnerability alert from you. What do you suggest I (we) do?

        The following active plugin(s) have not declared compatibility with WooCommerce 5.0 yet and should be updated and examined further before you proceed:

        Plugin Tested up to WooCommerce version
        WooCommerce Table Rate Shipping 4.5
        Plug’n Pay Direct Gateway for WooCommerce unknown
        As this is a major update, we strongly recommend creating a backup of your site before updating.

        Knox Bronson
        August 10, 2021
        • Hi Knox,

          An updated version of WooCommerce containing the security patch has been made available for each release branch, which should negate the need for a major update at this time.

          For example, if you’re using 4.9.2, you can update to the patched version in that branch – 4.9.3 – instead of jumping straight to 5.0.1 or higher.

          You can find a list of all patched versions in the table above – if you’re currently running one of these versions, then you do not need to update. If you’re not using a patched version, you can find a direct download for each release branch on this page: https://developer.woocommerce.com/releases/.

          You should not update to WooCommerce 5.0 as this is not a secure version.

          Thanks,

          Laura

          Laura Nelson
          August 11, 2021
    • Stupid beginners question. What is meant with “blocks”? Is that a separate plugin or included extra plugin? Is it “blocks” the complete name? I am confused.

      redes6039
      July 15, 2021
    • How. I can’t do it.

      Md Sherazul Islam
      July 28, 2021
  2. Do you think WordPress.org will be pushing a forced update to patch this?
    I’m currently working through client websites one by one

    John Cook
    July 15, 2021
    • Hi, John.

      Yes!

      We provided the patch to WordPress.org and automatic software updates are rolling out now to all stores running impacted versions of each plugin.

      However, we’re urging everyone check and manually update if needed just in case.

      Kevin Bates
      July 15, 2021
      • Recommandez-vous de passer à une autre plate-forme au lieu de WooCommerce car elle est toujours piratée. Il a des trous de sécurité. Et personne du support ne s’en soucie car c’est gratuit.

        Khamoosh
        July 16, 2021
    • Unless i’m misunderstanding, I don’t think a forced updated is possible on self-hosted/Wordpress.org sites, right? To be safe I just went all the way up to 5.5.1 on everything I manage, although the new point releases for each branch released today should have the patch, according to this page: https://developer.woocommerce.com/releases/

      Chris
      July 15, 2021
      • @Chris, it’s a little known and rarely used capability of the WordPress security team. They pushed a forced update for the loginizer plugin in October of last year and it looks as though they’ll do the same for this one

        John Cook
        July 15, 2021
      • Automattic security team has the ability to force update on themes and plugins – there is such solution implemented in update system.

        It has been already used few times, AFAIR.

        Krzysiek Dróżdż
        July 15, 2021
  3. Glad it was patched quickly. That’s a lot of versions & a long time for a vulnerability to be out there… Has there been any indication that the vulnerability was being actively exploited?

    Sharif Jameel
    July 15, 2021
    • Sharif,

      Our investigation into this vulnerability and whether data has been compromised is ongoing.

      Hopefully we’ll know more soon.

      Thank you!

      Kevin Bates
      July 15, 2021
      • Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages. When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.

        Is there any information you can share that could help me (or other concerned bystanders) to forensically determine if we were impacted? Maybe some diagnostic error log messages or URL patterns?

        tishuk
        July 15, 2021
        • Hi there,

          The team is still investigating the issue, and will share more details as soon as they’re able to do so.

          In the meantime, please ensure that you’re running the latest version of WooCommerce in your release branch and update any admin passwords

          Thanks,

          Laura

          Laura Nelson
          July 16, 2021
          • Hi again,

            Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this.

            Laura

            Laura Nelson
            July 22, 2021
  4. So I am clear – WooCommerce v3.3 to 5.5 are vulnerable to this exploit? 3.3?? Blocks or no blocks?

    julierachlin1
    July 15, 2021
    • Yes, that is correct.

      Kevin Bates
      July 15, 2021
  5. Were/Are any third-party plug-ins compromised?

    Stef
    July 15, 2021
    • And should we alert our WooCommerce merchants?

      Stef
      July 15, 2021
    • Hi, Stef.

      From what we know at this time only WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5) are affected.

      I’d also suggest notifying your merchants to make sure they’ve updated.

      Thank you!

      Kevin Bates
      July 15, 2021
      • Hi, I have immediately updated after reading your email. But I have woo-commerce 5.4.2 and blocks 5.3.2
        It’s enough? Thanks!

        LAURA MALFATTO
        July 15, 2021
        • Those are both patched versions, so you are safe from this vulnerability. If you are running the Blocks plugin separately, we do suggest you always keep it on the latest version since the only reason to run it separately is to get more recent features. If you don’t need that, then you can just uninstall the separate Blocks plugin, since a stable version is always bundled with WooCommerce Core now.

          Beau Lebens
          July 15, 2021
  6. Hello – We have just updated our site to the latest version in our release branch 3.6.6 (14/07/21). Can you please confirm this release contains the security fix for the vulnerability in this article?

    Josh
    July 15, 2021
    • Hi, Josh.

      Yes, WooCommerce 3.6.6 contains the security patch.

      Thanks!

      Kevin Bates
      July 15, 2021
  7. So, just to be clear, if we are using 5.4.1 and update to 5.4.2 it will be okay?

    Or do we need to update to 5.5.1 from that branch?

    Phil
    July 15, 2021
    • 5.4.2 is fine.

      However, if you are using WooCommerce blocks on your site, then you should update to 5.5.1

      John Pallister
      July 15, 2021
      • Hi, I read now and immediately updated but: for me the latest version is 5.4.2 (woo-commerce) and 5.3.2 (blocks)
        It’s enough?
        Thanks!

        LAURA MALFATTO
        July 15, 2021
      • Thanks John 🙂

        Phil
        July 15, 2021
  8. I can’t update. I started to update from my phone, but it fails. Also, tried moving the Autoupdate slider from Off to On, but it keeps sliding back to Off. On the computer I went to my website, but get “Briefly unavailable for scheduled maintenance. Check back in a minute.” 15 minutes now. I filled out a support ticket, but maybe you can let others know what to do in this situation.

    druekberg
    July 15, 2021
    • Sorry to hear that!

      I’m sure our support team will be able to help you figure out what’s going on.

      It may also be worth contacting your hosting provider’s support as well just in case the issue is on their end.

      Thank you!

      Kevin Bates
      July 15, 2021
    • If you can FTP into your site, or access the file manager through your host’s control panel, find the file called maintenance.php and delete it. It will be it the main hierarchy of your site, inside the httpdocs directory, or where you find the wp-content, wp-admin, etc. directories. Try updating again after that. If you still can’t update, certainly reach out to Woocommerce or your host, but if it were me, I’d back up the plugin and then reinstall it.

      Hope that helps.

      David Bracken
      July 15, 2021
      • Thanks Kevin, I reached out to my support team, but I’m not sure how many hours I will have to wait for them to get this resolved.

        Thanks David, before I could track down that php file, the site returned from maintenance mode. However, the WooCommerce plugin had disappeared. I tried to reinstall, but that failed.

        druekberg
        July 15, 2021
        • Fixed it. I renamed the WC installation and recovered my plugins, including WC, from a backup. I didn’t realize the restore would wipe the directory, so for anyone in my position, move the renamed WC folder outside the plugins folder in case you need it. In my case, the restore worked, and then I updated WC to 5.5.1. Things appear to be working.

          druekberg
          July 15, 2021
          • Woke up to a similar situation. Website was on maintenance mode (from Plesk), after disabling maintenance mode and login to the WP admin backend I was greeted with errors that Woocommerce was missing. Under plugins, no WC visible. Could not upload the plugin via the backend for a reinstall, some generic error.
            Checked via FTP and the WC folder was totally missing from plugins directory. Extracted the latest version and uploaded it manually to this directory. After that everything was fine again. I’ve got auto updates enabled for every plugin, first time it caused havoc to be honest.

            bringmeict
            July 15, 2021
  9. Hello – it looks like I am on 3.4.8 – this would be the latest patched version for my ‘branch” – correct? Do I still need to update to 5.5.1? – when I try to, I get a major update warning and it shows the majority of my plugins say that haven’t been tested past version 3.2-4.5 etc ..so am I good to leave it as is? – or do I need to install 5.5.1? Thanks!

    Derek
    July 15, 2021
    • This specific vulnerability is patched in that version, yes.

      That being said, that is a *very* old version of WooCommerce, so we would strongly suggest that you explore a path to being to update. This is an extreme case where we “backported” a security fix back to many previous versions, but we constantly release improvements to security, performance, and functionality, which normally only ship in the latest version usually (5.5.1 as of right now).

      Beau Lebens
      July 15, 2021
      • gotcha thank you …should I just go ahead and hope all my plugins will work? The warning is showing the majority of them haven’t been tested yet with that 5.x.x version

        derek
        July 15, 2021
        • Hi Derek,

          I wouldn’t personally say to update from 3.4.8 up to 5.5.1 without testing this first say on a staging copy of your current site. If your host doesn’t offer that option, we’d recommend WP Staging for quickly spinning up a new test site.

          Lots has changed from WooCommerce 3.4.8, like template files, functions, etc… so the chances are higher you would run into compatibility issues if your other extensions weren’t also updated for WooCommerce 5+ compatibility.

          The important thing is that now your store is secure from this known vulnerability and you have the time to plan and test updating to the latest version of WooCommerce. 🙂

          Ryan Ray
          July 15, 2021
          • Thanks so much Ryan, I will check into the staging and start work on a test sight to see if we can seamlessly upgrade ..Thanks again for the help!

            Derek
            July 21, 2021
  10. Is this vulnerability related to the unescaped attributes filter and is there any way to audit whether this attack has been performed on your site? Do you suggest any other mitigation other than the update?

    Kaizen
    July 15, 2021
    • blocking access to the API without being authenticated prevents the exploit.

      as for IOC’s its a GET request, so there will be logs showing it being exploited in the web server (nginx or apache) logs.

      dawgyg
      July 15, 2021
    • Hi Kaizen,

      > Is this vulnerability related to the unescaped attributes filter

      We’re currently still investigating the issue, and will share details on our blog when we’re able to do so.

      > is there any way to audit whether this attack has been performed on your site?

      If your store keeps request logs, you can check this log to find out if anything looks unusual. If you’re not sure if this is possible on your store, you can chat with your hosting company about this.

      We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

      > Do you suggest any other mitigation other than the update?

      At present, no. We will be contacting store owners directly if any further action is required.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
    • Hi Kaizen,

      Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,
      Laura

      Laura Nelson
      July 22, 2021
  11. Upgraded to latest version and cannot get Revenue Analytics to load, causing 502 errors. Any ideas why this would happen?

    bhalstrom
    July 15, 2021
    • Hi there,

      We’d recommend contacting our Support team directly about this! You can open a ticket here: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
    • Same issue, massive 502 issues. After attempting on production site, stupid me.. (always update on a staging site if possible or in maintenance mode with backup) I have copied the site to staging now and still same issue.

      James
      July 20, 2021
  12. We were hacked. What know? We have a back up but a week old!! cause I stoped using the automatic back ups!

    Gerardo Venegas
    July 15, 2021
    • That’s rough man… I would suggest a couple of things:

      1. Revert your files (**NOT THE DATABASE**) to the backed up version.
      2. Update to the latest version in your branch by downloading the .zip here: https://developer.woocommerce.com/releases/
      Extract manually via the server to update.
      3. Use Wordfence (free version) to scan the site – it’s good at detecting malware and modified files.

      3a. IF Wordfence finds some bad files, you’ve got problems – try and scan your logs to see what IP address was accessing them, then search your database to see if there are any matching sessions, and check the user_id (indicating a weak password on a user-account).
      3b. Delete the files, and scan again until clean.

      ellevatedesigns
      July 15, 2021
  13. For anyone wondering “Is my version patched” — here is the releases page: https://developer.woocommerce.com/releases/

    If you’re using the latest of your branch, it’s patched.

    Cheers,
    C.

    ellevatedesigns
    July 15, 2021
    • Thanks so much for sharing this. We’ve also updated the post with a table of the correct patched versions everyone should be using.

      Ryan Ray
      July 15, 2021
  14. I have my site at 5.4.1 version. Should I upgrade it to 5.5.1 manually ? I am only getting option to update version to 5.4.2 in wordpress updates page.

    Jatinder
    July 15, 2021
    • 5.4.2 is the latest release for your branch, update to that and you’re good.

      Here is the releases page: https://developer.woocommerce.com/releases/

      ellevatedesigns
      July 15, 2021
    • I have two payments listed on my site which have not come through to my bank acc. Please advise. My plugin was up to date.

      Thanks

      poetrix53
      July 16, 2021
  15. I updated WooCommerce through wordpress and all WordPress tables have vanished. My support team are rolling back to yesterday’s database.
    @#%#@!

    Chris
    July 15, 2021
  16. I see you pay $1k for reporting this. Considering how much is at risk you might want to raise the motivation for good hackers to review WC.

    iableorg
    July 15, 2021
  17. Hi
    I got your email, thanks for the advice…

    I have a few questions…

    I had version 5.4.1, wordpress gives me the version 5.4.2 to update (not 5.5.1)

    why wordpress won´t mention ver 5.5.1 to me?
    what depends on the update process?…

    I thought we were always going to the latest version,
    (I thought I was up to date with my version until yesterday that I got your email)

    why will it be ok to update to 5.4.2 if there is 5.5.1 (even thou is not present in my updates page…)

    Thanks in advance

    iki
    July 15, 2021
    • You’re confusing WordPress itself (currently 5.7.2) and Woocommerce (now 5.5.1). Woocommerce is a plugin for WordPress. The issue here has been with Woocommerce, not WordPress itself.

      laughthisoff
      July 15, 2021
      • Hi laughthisoff… no no..
        I’m referring to woocommerce versions..

        In my site I have version 5.4.1, AND wordpress gives me as a choice the version 5.4.2 of woocommerce to update

        But Woocommerce was saying to update to version 5.5.1 WICH WordPress in not giving me as update possibility

        I am not confused with or about wordpress (I have 5.7.2 for wordpress, but it has nothing to do with my questions)

        Cheers

        IKI
        July 15, 2021
    • Hi Iki,

      WooCommerce 5.4.2 is the correct version to update to based on your release branch, and contains the security patch.

      If you’d like to update to 5.5.1, you should see the option to do so once you’ve updated to 5.4.2.

      If you experience any issues with this, feel free to contact one of our Happiness Engineers here: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  18. Is the vulnerability there if Woocommerce or Woocommerce blocks files are present but the plugin is deactivated? We’re a hosting company and we have a bunch of customers who have inactive woocommerce plugins in their codebases. I assume they tried it at one point then changed their minds or something…

    are those deactivated plugin files safe or do they also need to be updated?

    Thank you for all your hard work!

    Damien
    July 15, 2021
    • Hi Damien,

      Deactivated plugin files are safe, but we do still recommend updating to the latest version in case any of your customers decide to reactivate them again in the future.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  19. Hi!

    I have an auto-update feature on for all my plugins and when I got the email notif earlier, I checked the plugin and it has been automatically updated to version 5.5.1. I’m not sure how instant the auto-update feature on wordpress is but should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?

    Thanks!

    Jon Ichiro
    July 15, 2021
    • Hi Jon,

      > I checked the plugin and it has been automatically updated to version 5.5.1

      Excellent. Ensuring that you’re running the latest version of WooCommerce available is the recommended course of action right now.

      > should I be concerned that I might have gotten compromised or does the vulnerability only occur to outdated plugins?

      We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
      • Hi Jon,

        Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

        Thanks,

        Laura

        Laura Nelson
        July 22, 2021
  20. From 5.0.0 to 5.0.1 is safe? Thanks

    Fabio
    July 15, 2021
    • Hi Fabio,

      Yes, WooCommerce 5.0.1 contains the security patch.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  21. Thanks your email, may i know about that vulnerability ? what is that exactly ? how its affect my Ecommerce site ?

    Haja Kutbudeen
    July 15, 2021
    • Hi Haja,

      Our investigation into this vulnerability is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

      In the meantime, please ensure you’re running the latest versions of WooCommerce and WooCommerce Blocks, as they contain the security patch.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
      • Hi Haja,

        Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

        Thanks,

        Laura

        Laura Nelson
        July 22, 2021
  22. We have lot’s of customization and combined with other plugins, so it’s hard to update the version soon, so can you provide targeted patch or info about vulnerability , so we can apply some fix without update full

    suneth
    July 15, 2021
    • Hi Suneth,

      Updating to the latest branch version should avoid this problem. For example, if you’re running 5.4.1, updating to 5.4.2). This shouldn’t conflict with any customizations unless you’ve made them inside the WooCommerce plugin (which we strongly recommend against doing).

      I hope that helps,

      Laura

      Laura Nelson
      July 15, 2021
      • The problem is I’m using Version 3.6.6 🙂 and it cannot update to latest version directly

        Suneth
        July 15, 2021
        • Hi Suneth,

          Just confirming for you, WooCommerce 3.6.6 is a patched version that includes the security fix for this vulnerability discovered.

          If you’re using 3.6.6 your site is secure from this vulnerability. 🙂

          Ryan Ray
          July 15, 2021
  23. Morning,

    After reading your email I upgraded to version 5.4.2.

    As soon as I updated I was given the option to upgrade to 5.5.1 and I upgraded to this version.

    Is the site now secure?

    Mauro
    July 15, 2021
    • Hi Mauro,

      Yes, both versions 5.4.2 and 5.5.1 contain the security patch, so you’re safe to use either of those.

      Laura

      Laura Nelson
      July 15, 2021
  24. Hi, thanks for the notification and the update.
    Can this vulnerability be exploited also when the WooCommerce plugin is disabled? (i.e. not Active in WordPress). I can see my WooCommerce has been updated, but I’m not currently using it yet, so it is disabled…

    Marco
    July 15, 2021
    • Hi Marco,

      Deactivated plugin files are safe, but we do still recommend ensuring WooCommerce has been updated to a patched version in case you decide to reactivate it in the future.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  25. Hello,

    I am using WooCommerce on few of my old websites (In both WordPress network and single website wordpress). Current version is 3.8.2 in all websites.

    I saw that Kevin Bates said that version 3.6.6 contains security patch. Does this mean that 3.8.2 is safe, too?

    Milos
    July 15, 2021
    • Hi Milos,

      Yes, WooCommerce 3.8.2 contains the security patch.

      Cheers,

      Laura

      Laura Nelson
      July 15, 2021
  26. Hello,

    i have updated my shops to 5.5.1.I dont use wp blocks and haven´t installed it as a plugin. But in Woocommerce Status it says: WooCommerce Blocks-Paket: 5.3.2

    Is that normal. Or must i do something. Thanx in advance.

    Mona
    July 15, 2021
  27. Hey,

    is there a list of all patched version available?

    If not, are 5.2.2 and 5.3.1 patched versions?

    Thanks & best regards,
    David

    David
    July 15, 2021
    • Hi David,

      > is there a list of all patched version available?

      You can see the full list of releases here: https://developer.woocommerce.com/releases/, with the latest versions of each listed.

      We’ll be getting this added to the blog post ASAP.

      >are 5.2.2 and 5.3.1 patched versions?

      5.2.2 is not a patched version, so you’ll need to update this to 5.2.3.

      5.3.1 is a patched version.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  28. I have Woocommerce 4.8.0 installed and WordPress offers update to 4.8.1. Am I safe if I install 4.8.1? Does it fix this issue?

    I have a critical production site so I would rather install a minor patch now if it fixes the issue and upgrade to Woocommerce 5.x later.

    Mikael
    July 15, 2021
    • Hi Mikael,

      Yes, WooCommerce 4.8.1 is the updated version containing the security patch.

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
  29. Hi i run a third party plugin “Germanized for WooCommerce” and it seems like this plugin is not compatible with the newest version of woocommerce.

    Woocommerce got an auto update today from 4.8.0 to 4.8.1. Is the problem solved now?

    Thank you,
    Alex

    Alex
    July 15, 2021
    • Germanized, considering you are using the latest version works just fine with the latest Woo version: https://wordpress.org/plugins/woocommerce-germanized/

      Dennis
      July 15, 2021
      • I am not quite sure which one i should update first?

        WordPress? (current Version 5.6.4)
        Woocommerce? (currenct 4.8.1)
        Woocommerce germanized? (current 3.3.1)
        Woocommerce germanized pro? (current 3.1.0)

        Is the Woocommerce Version 4.8.1. safe now or not?
        I am not sure if its a good idea to upgrade Woocommerce to a 5.x.x Version….i am afraid of crashing my website.

        Alex
        July 15, 2021
        • Hi Alex,

          As this critical vulnerability concerns the WooCommerce plugin, we highly recommend ensuring this is up to date first.

          The version you mention, 4.8.1, contains the security patch so there’s nothing else you need to do here until you’re ready to update to the latest version (5.5.1).

          Thanks,

          Laura

          Laura Nelson
          July 15, 2021
        • Hi Alex,

          I am not quite sure which one i should update first?

          If you need any assistance on how to update WooCommerce safely, this step-by-step guide may be useful.

          Thanks.

          Gareth
          July 15, 2021
  30. I have a site on 3.1.2 Does this mean I’m unaffected?

    Janet
    July 15, 2021
    • Hi Janet,

      Yes, 3.1.2 is unaffected. However, that is a *very* old version of WooCommerce, so we would strongly recommend that you explore a path to being up to date.

      This is an extreme case where we “backported” a security fix back to many previous versions, but we constantly release improvements to security, performance, and functionality, which normally only ship in the latest version usually (5.5.1 as of right now).

      Thanks,

      Laura

      Laura Nelson
      July 15, 2021
      • Thanks Laura,

        What do you mean old, it’s not even 4 years yet!
        😉

        Appreciate the attention to the older versions that are affected though. And the speedy response.

        Janet
        July 15, 2021
  31. Just wanted to say thank you. I am impressed how many branches you patched. You even patched very very old versions! You are doing a great favor with that to people having older legacy installations. Thank you for that.

    Michael
    July 15, 2021
    • Hi Michael,

      Thank you for the kind feedback – we’ve shared this with the team!

      Laura

      Laura Nelson
      July 15, 2021
  32. Adding a sales pitch into this warning makes it a little odd. “Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager: https://my.wpengine.com/products/smart_plugin_manager to your plan today! ” I think this really weakens the alert status and many clients saw this as a sales opp bundled with a WC issue. How critical is this?

    Niall Flynn
    July 15, 2021
    • Hi Niall,

      Thanks for bringing this to our attention!

      It looks like this was from a communication handled by the team at WPEngine – not WooCommerce.

      I’m afraid we have little control over how third-parties communicate this issue, but would appreciate it if you could share with us where you saw this message so that we can provide feedback.

      Thank you!

      Laura

      Laura Nelson
      July 15, 2021
  33. For those searching for details, here’s a list of patched WooCommerce versions (current as of 2021-07-15).
    Either update manually or wait for the update to be pushed if you have patch-releases lower than these:
    – WooCommerce 3.3.6
    – WooCommerce 3.4.8
    – WooCommerce 3.5.9
    – WooCommerce 3.6.6
    – WooCommerce 3.7.2
    – WooCommerce 3.8.2
    – WooCommerce 3.9.4
    – WooCommerce 4.0.2
    – WooCommerce 4.1.2
    – WooCommerce 4.2.3
    – WooCommerce 4.3.4
    – WooCommerce 4.4.2
    – WooCommerce 4.5.3
    – WooCommerce 4.6.3
    – WooCommerce 4.7.2
    – WooCommerce 4.8.1
    – WooCommerce 4.9.3
    – WooCommerce 5.0.1
    – WooCommerce 5.1.1
    – WooCommerce 5.2.3
    – WooCommerce 5.3.1
    – WooCommerce 5.4.2
    – WooCommerce 5.5.1

    Per
    July 15, 2021
    • Thanks so much Per, we’ve also added this to the post too!

      Ryan Ray
      July 15, 2021
  34. Hi Great work

    Just wanted to check – You mention earlier “as a precaution to change passwords”. Could you please confirm if you are referring just to any related woocommerce user accounts such as the shop-manager or also the wordpress user accounts such as admin/editor etc?

    SteveB
    July 15, 2021
    • Yes good question. I would like clarification on this please.

      Many thanks

      Ollie
      July 15, 2021
      • Hi,

        It would be really good to get an official respone.

        Also wanted to check if we need to consider changing any payment gateway public and private api keys?

        SteveB
        July 15, 2021
        • Hi Steve,

          Just to let you know that our original post has now been updated with further details in regards to updating passwords and API keys.

          Thanks,

          Laura

          Laura Nelson
          July 22, 2021
  35. Hey,

    I’m using a modified version of woocommerce 3.7 (so I can’t just update it straight away). Just to be sure I fixed manually the vulnerability, was the vulnerability located in woocommerce\includes\data-stores\class-wc-webhook-data-store.php and the risk was SQL injection right because you skipped the usage of $wpdb->prepare for the search query right?

    Best regards

    Lirol
    July 15, 2021
  36. Hi there,

    I have 4 Websites with Woocommerce. 2 were updated automatically at 4:34 and 5:37 am german time. But the 2 other installs didn’t get the automatic updates.

    All sites have define(‘WP_AUTO_UPDATE_CORE’, ‘minor’); in wp-config. All sites had version 5.5 installed.

    Could you tell me why auto update worked on 2 sites and why not on the 2 others?

    BEST!

    Tobias
    July 15, 2021
    • Hi, Tobias.

      It’s difficult to know why some of your sites didn’t auto-update.

      With a patch as important as this, we recommend checking and doing so manually if needed – which sounds like you already did!

      Kevin Bates
      July 16, 2021
  37. Is this the vulnerability in question?

    CVE-2021-24323 … https://nvd.nist.gov/vuln/detail/CVE-2021-24323

    Please make it a practice always to publish the CVE number on the US National Vulnerability Database, or some other vulnerability reference number, when giving notices or patches like this.

    And thank you for staying ahead of this.

    Oliver Jones
    July 15, 2021
    • Oliver Jones, I’m sure bureaucracy is the last thing on their mind. In fact, it’s the complete opposite of bureaucracy why this was fixed this so fast.

      nanoprobes
      July 15, 2021
    • Follow the WPScan source and you will see this was patched in Version 5.2.0.

      Bill
      July 15, 2021
    • That’s not it. that’s XSS. This one’s a SQL Injection vulnerability and apparently has not yet been assigned a CVE number yet, according to reports on security sites like WordFence and others. If it had been assigned then it would have been cited in reports. This is not unusual when something is happening this fast.

      Roger
      July 15, 2021
  38. Hi i have another problem – i updated Woocommerce to the latest version and my woocommerce germanized plugin is active, but:

    Germanized is inactive. This version of Germanized requires WooCommerce 3.9 or newer. Please update WooCommerce to version 3.9 or newer »

    Can you help me?
    Thx,
    Alex

    Alex
    July 15, 2021
    • Hi, Alex!

      The newest version of WooCommerce is 5.5.1, which is quite a bit newer than 3.9.

      Is it possible there’s a newer version of Germanized that is also updated for newer versions of WooCommerce?

      Thanks!

      Kevin Bates
      July 16, 2021
  39. Hello,

    When using the hand picked block from Gutenberg editor or trying to modify any of my product pages, I keep getting the following message:

    Updating failed. The response is not a valid JSON response.

    I have also received an email from WordPress itself saying my website has a technical issue see below:

    Error Details
    An error of type E_ERROR was caused in line 87 of the file /ho/nin/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/Note.php. Error message: Uncaught Error: Call to undefined method Automattic\WooCommerce\Admin\Notes\Notes::load_data_store() in /ho/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/Note.php:87
    Stack trace:
    #0 /home4/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/MobileApp.php(40): Automattic\WooCommerce\Admin\Notes\Note->_construct()
    #1 /nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Notes/NoteTraits.php(67): Automattic\WooCommerce\Admin\Notes\MobileApp::get_note()
    #2 //nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Events.php(112): Automattic\WooCommerce\Admin\Notes\MobileApp::possibly_add_note()
    #3 /h/nint/public_html/wp-content/plugins/woocommerce/packages/woocommerce-admin/src/Events.php(95): Automattic\WooCommerce\Admin\Events->possibly_add_notes()
    #4 /ho/nin/public_html/wp-includes/class-wp-hook.php(292): Automattic\WooCommerce\Admin\Events->do

    These errors have occurred at the same time … so it looks as though they are linked … I’ve already contacted my host and tried to make manual fixes but nothing is working … I cannot update my product pages at all.

    Please advise … is this issue aware of? Will it be fixed? It was working fine but has stopped somewhere in the last 48 hours.

    Thanks

    925health
    July 15, 2021
    • P.S I have automatic updates on so it’s running the latest patch but still not working.

      Thanks

      925health
      July 15, 2021
    • What was the solution after you contacted woocommerce directly? This is ONE of the problems I’m having. I was almost starting to wonder if I’d been compromised, but bandwidth to my site is below 3MB for the past 24 hours so if I’m compromised, it’s a sleeper that takes up bytes.

      Alex
      July 17, 2021
  40. This looks more serious than I thought it to be initially. Are there specific countries that perhaps, may have been more vulnerable to this or? Should we also alert our users to change their password or admin-level password changes are enough?

    livinglotuschocolate
    July 15, 2021
    • Hi there, thanks for your questions.

      Whether you alert your users to change their password is ultimately your decision to make. Your obligations to notify customers or reset things like passwords will vary depending on things like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised.

      We will be sharing more information with site owners on how to check their own site, which we will publish on our blog when it is ready.

      Our investigations so far have not indicated any specific countries or regions are more vulnerable than any others.

      Gareth
      July 15, 2021
    • Hi there,

      Just to let you know that our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

      Laura Nelson
      July 22, 2021
  41. I’m running WooCommerce 3.9.4 according to “WooCommerce->Status” menu. Is this a correct place to check the version?

    The release date of 3.9.4 under the Woo “Releases” page is 2021-07-14″.

    So I have to update to the 2021-07-14 release, correct?

    The release is a zip file. Can I just install as a “Add New” plug in on top of the existing? Or do I uninstall the existing first?

    Golden Boy
    July 15, 2021
    • Hi there,

      If you’re running 3.9.4, your site is already on the fixed patch – you don’t need to update anything anymore.

      Gareth
      July 15, 2021
    • Quick question. I have updated a number of sites to their next release version. Are these versions patched or do I have to go to 5.5.1?

      Thanks

      Ollie
      July 15, 2021
      • Hi, Ollie!

        As long as they are the latest versions in their release branch you’ll be running the patched version.

        We’ve added a table in the post above so you can check and be sure.

        Thanks!

        Kevin Bates
        July 16, 2021
    • We discovered this on July 4th. We have been cleaning and recovering sites for a week and deleting WooCommerce from these sites. How is it that it took this long for it to be made public? We have been scouring the Internet for information for a week.

      Holly Nelson
      July 16, 2021
      • Hi Holly,

        We were only alerted to the vulnerability on July 13 (via HackerOne). Upon receiving the alert, the team immediately started their investigation and rolled out a security fix.

        If you knew about the issue sooner and have more information to share, the team would be really interested in hearing from you – you can reach out to them here: https://hackerone.com/automattic/

        Thanks,

        Laura

        Laura Nelson
        July 16, 2021
        • Thanks for letting me know the reporting protocol. I’ll work with hosting server admin to report what we know.

          Holly Nelson
          July 16, 2021
        • How can we check to verify our hosted WC sites haven’t been compromised? Does this vulnerability allow remote SQL injection, uploads malware to site, or something else?

          Steve West
          July 16, 2021
          • Hi Steve,

            The team is still investigating this issue, and will release more details as soon as we’re able to do so.

            In the meantime, please ensure you’re using a patched version of WooCommerce (as detailed in the post above).

            Thanks,

            Laura

            Laura Nelson
            July 16, 2021
          • Hi Steve,

            Our original blog post, above, has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

            Thanks,

            Laura

            Laura Nelson
            July 22, 2021
  42. I have version 3.9.2 on a website. If I try to load patched version 3.9.4 the process fails telling me that Woocommerce folder already exists. Do I have to delete folder before update?

    Riccardo
    July 15, 2021
    • Hi there. That’s correct. Uploading a .zip file to update a plugin that’s already present is a functionality that was added in WordPress 5.5. If you’re using an older version of WordPress, then this will not work.

      You can delete WooCommerce and then upload version 3.9.4. The WooCommerce data and settings are stored in your database and not in the plugin files. That said, it’s always a good idea to first make a backup.

      Job
      July 15, 2021
  43. Ever since updating to latest version I’m being plagued by 500 and other errors which take my site offline.
    Not happy.

    joe
    July 15, 2021
    • I understand your frustration here, Joe. Is it possible for you to roll back to a previous version using a site backup?

      If so, I’d recommend doing so and then first updating to the highest version number in your release branch first before updating to WooCommerce 5.5.1 (for example: If your store is running WooCommerce 4.8, first update to WooCommerce 4.8.1).

      If your site is still down and you’re unable to access your site via the front-end to make changes, here’s how you can access it via FTP:
      https://wordpress.org/support/article/common-wordpress-errors/#the-white-screen-of-death

      Hope this helps!

      Gareth
      July 15, 2021
      • I was already at the highest release, 5.5 I think

        Having to roll back an entire site because of a single plugin is a last resort. It always causes other issues when this step is taken.

        I have 500’s, white screens, and multiple access errors killing my site.

        Practical advice would be appreciated rather than the generic “use a backup”

        joe
        July 15, 2021
        • I have noticed memory allocation errors (out of memory) – I have increased the allowance to double what it was previously as a potential quick fix while investigations continue

          I was happily chugging along with PHP Memory Limit set to 128M until this issue with Woo – I have gone up to 256M with Max Execution time upped from 120 to 180

          joe
          July 15, 2021
          • Hi, Joe.

            Sounds like we might need to dig a little deeper into your setup and the best thing would be to open a support ticket.

            https://woocommerce.com/my-account/create-a-ticket/

            Thanks!

            Kevin Bates
            July 16, 2021
          • what was the solution after woocommerce investigated?

            Alex
            July 17, 2021
  44. Would it be possible to manually apply the patch? And if yes, would there be a script to follow? The goal is to apply the patch without affecting customized code.

    One site runs WC 3.7.0 with customization code. After updating to 3.7.2, the whole product section broke. So it has to be restored to the vulnerable state.

    Thank you!

    Young
    July 15, 2021
  45. Hello!

    Just uptaded to 4.8.1, but I’ve read you recommend to change passwords… which passwords are you guys talking about? admin passwords? ftp?… all??

    Thanks for the answer!

    Alvaro
    July 15, 2021
    • “which passwords are you guys talking about?”

      Might want to do them all to be safe. I would also extend this to customer passwords as well, particularly if their accounts grant access to saved credit card information. Quite the can of worms which can be particularly damaging for brands.

      Bill
      July 15, 2021
      • Thanks for responding, Bill.

        Completely agree that it’s best to be safe and change all passwords for all your stores.

        Thanks!

        Kevin Bates
        July 16, 2021
  46. The woocommerce 5.5.0 is what we had downloaded and when it updated, now our site has crashed and I can’t access it.

    lcolescommunitycreativecenterorg
    July 15, 2021
  47. Hi,

    My woocommerce has disappeared. I tried to install it again, but the site says it’s not possible to install it because it’s already in a folder. How and where can I find it?
    Please help as my site is down now.

    Renate

    alurewoonaccessoires
    July 15, 2021
    • I have the exact same problem. Woocommerce completely dissappeared, cannot be re-installed and I have no idea what to do. Can anyone help us?

      lindscence
      July 15, 2021
      • OK, I solved it. In FTP I went to find the woocommerce plugin folder and I renamed it as woocommerce_old, and this allowed me to install the plugin again. I guess you can also just delete the folder as well. But after the fresh install everything loaded back and my website is working normally.

        lindscence
        July 15, 2021
        • Glad you were able to resolve the issue!

          Kevin Bates
          July 16, 2021
    • Sorry to hear that!

      If your site is still down and you’re unable to access your site via the front-end to make changes, here’s how you can access it via FTP:

      https://wordpress.org/support/article/common-wordpress-errors/#the-white-screen-of-death

      Hope that helps!

      Kevin Bates
      July 16, 2021
  48. hi now I just updated from version 4.9.1 to version 4.9.3, is this version safe and ok?

    seostar
    July 15, 2021
    • Hey there – If you’re running 4.9.3, your site is already on the fixed patch – you don’t need to update anything anymore.

      Rommel Castro
      July 15, 2021
  49. I’m using WC 2.6.4. I outsourced to build my e-commerce store and several angular based custom templates and few custom plugins are built and functioning on my site.

    Previously, I tested updating WooCommerce in staging, and it messed up all the custom angular templates and plugins. So we can’t update WooCommerce right away.

    May I know like even the WC 2.6.4 has the same vulnerability? And can you provide a patch for that? ’cause it’ll take time for me to update all the templates and custom plugins.

    psorg28
    July 15, 2021
    • Hi there,

      This issue only affects WooCommerce versions 3.3 to 5.5 and the WooCommerce Blocks feature plugin versions 2.5 to 5.5.

      That is quite an old version of WooCommerce however, so working with your developer to update would be a good idea!

      Thanks!

      Kevin Bates
      July 15, 2021
  50. How long does it take to update? Mine is updating for more than an hour now and nothing is happening. When I open my dashboard in a new page the complete woocommerce plugin is gone. What is happening? Can anyone help me?

    lindscence
    July 15, 2021
    • How strange!

      The time it takes to update would depend mostly on your hosting provider – the update should be fairly quick.

      If the WooCommerce plugin is still gone, I’d download the newest version and install it again manually.

      Thanks!

      Kevin Bates
      July 16, 2021
  51. I’m amazed that so many people don’t keep their plugins up-to-date. WordPress Site Health always flags any non-updates as a risk! Don’t people use the Site Health tool?!

    Carole
    July 15, 2021
    • I must believe that the vast majority would be due to the lack of compatibility of the plugins. This is the great difficulty in a system with thousands of roots like this.

      Flávio
      July 15, 2021
  52. Hi! I have a store that’s running on WordPress version 3.7.2 (before the critical vulnerability was detected). It’s still on version 3.7.2. I tried updating my store to the newest version of WordPress and several things stopped working. My question is, do I even need to update anything? I see that version 3.7.2 is a patched version…

    karlbastian1
    July 15, 2021
    • Hey!

      I assume you mean WooCommerce 3.7.2? 🙂

      If so, yes, that is a patched version and you’re safe from this issue.

      We still recommend staying up to date thought for all the newest features and fixes.

      Thanks!

      Kevin Bates
      July 15, 2021
  53. I have noticed on a new store I setup that when I go to the checkout for a payment a pop up page loads before the checkout, and the url does not change, the popup asks for credit card details. I entered in garbage and hit submit, and the page disappears and the checkout is then left empty. The form which loads is the following html:

    Is this related? I haven’t seen this pop up before, on a similar store. I updated WooCommerce to 5.5.1 but the same pop up is still appearing. I came here to open a ticket but I can’t possibly because I haven’t setup my account correctly.

    charlsouma
    July 15, 2021
    • Hello,

      That doesn’t sound related to this issue.

      Best thing is to submit a support ticket – have you created an account on WooCommerce.com? That’s the best way to get in touch so we can help you work through the issue.

      Thanks!

      Kevin Bates
      July 15, 2021
  54. Thank you so much for handling this so fast! I’m so glad you are using something like HackerOne so that the good guys can find these vulnerabilities before the bad guys do. I’ve upgraded the sites with the error. Thank you so much!

    Sangie
    July 16, 2021
    • Hi Sangie,

      Thank you for the kind feedback – I’ll share this with the team!

      Laura

      Laura Nelson
      July 16, 2021
  55. Hi

    Im running 4.5.3 , listed in the pacthed versions. Sites are a bit older so hesiatt to update.

    4.5.3 is safe to stay on?

    Thank you

    reachdigitalaus
    July 16, 2021
  56. My site automatically updated to WooCommerce 5.5.1, but it’s been affected site speed dramatically…to the point where I’m getting time out errors whilst trying to do simple things like edit a product. I created a duplicate copy of my site on my server…deactivated all the plugins and changed to Storefront theme. The problem persisted. Rolled back to 5.5.0…still have the problem, but roll back to 5.4.2 and all is good….. has a security patch been put in place for 5.4.2 for me to use it ???

    Ray Daley
    July 16, 2021
    • Hi Ray,

      Thanks for letting us know about the rapid decline in your site speed – the team is currently working on a fix for this.

      In the meantime, you’re correct to be using 5.4.2 – a security patch has indeed been put in place for this version.

      Thanks,

      Laura

      Laura Nelson
      July 16, 2021
      • Thanks for the clarification Laura, will try to roll back

        Chad
        July 16, 2021
    • I’m having the same issue, server load is extremely high due not to traffic on the site but due to backend processes, ie looking up orders, shipping orders, adding product etc. Also am wondering if OK’d to roll back WooCommerce to older version.

      Chad
      July 16, 2021
      • Hi Chad,

        We’re sorry to hear that – the team is working on a fix for this.

        In the meantime, you can roll back to version 5.4.2 which contains the security patch.

        Thanks,

        Laura

        Laura Nelson
        July 16, 2021
      • Same problem as me Chad. I am rolling back to 5.4.2 which appears to fix the problem.

        Ray Daley
        July 17, 2021
        • Hi Ray, yes we rolled back to 5.4.2 based on your suggestion and it appears to be holding. Went light on processes today but didn’t see any spikes like the previous day.

          Chad
          July 17, 2021
  57. I am using version 3.4.8 and as far as I see from the table of Patched WooCommerce versions, the 3.4.8 is listed.

    Does it mean that I don’t need to do anything?

    Cody
    July 16, 2021
    • Hi Cody,

      3.4.8 is indeed a version containing the security patch, so no further updates are required right now.

      That being said, 3.4.8 is a very old version of WooCommerce, and we do recommend working towards updating to the latest version. More information on how to do this safely can be found here: https://docs.woocommerce.com/document/how-to-update-woocommerce/

      Thanks,

      Laura

      Laura Nelson
      July 16, 2021
  58. Thanks for letting us know about this vulnerability,

    For now, we are working to upgrade our Development website and try to fix the issue if there are any.

    So, if we could update the Woocomerce on our Live website by Monday then is it safe for our site?

    Or we can temp down our store for two days?

    What do you guys suggest?

    Thanks

    Dexter Morgen
    July 16, 2021
    • Hi Dexter,

      We’re strongly recommending that you update your website immediately if it isn’t already using a patched version.

      The team has released security patches for WooCommerce versions 3.3 – 5.5, and so at the moment, you just need to ensure that you’re running on the latest version for your release branch.

      Thanks,

      Laura

      Laura Nelson
      July 16, 2021
  59. Did my site affected if I did not utilize WooCommerce webhook search function?

    Thanks.

    Stephen
    July 16, 2021
    • Hi Stephen,

      If you have WooCommerce 3.3 or later installed on your site, then the vulnerability exists in WooCommerce and you’ll need to update.

      Gareth
      July 16, 2021
  60. Hi,

    “We will be sharing more information with site owners on how to investigate this security vulnerability on their site”
    When will you announce this?
    I am about to add new products to my shop and I don’t want to do it twice if a big recovery is actually needed.
    Thanks!

    Tamas
    July 16, 2021
    • Hi Tamas,

      Our original post has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

      Laura Nelson
      July 22, 2021
  61. i updated to Version 5.0.1. is this version have the patch so i don’t have to update any further??

    peter
    July 16, 2021
    • Hi, Peter – yes, WooCommerce 5.0.1 has the patch.

      Gareth
      July 16, 2021
  62. As WordFence and Sucuri both block generically against SQL injection attacks, would either have protected a site?

    Clive
    July 16, 2021
    • Hi Clive,

      The investigation of this issue is still ongoing, and we do not have this information yet. It’s therefore imperative that you update your website to one of the patched versions listed in the post above (if you have not already done so).

      Thanks,

      Laura

      Laura Nelson
      July 16, 2021
  63. every time there is an update 24 hours another update comes out to fix dozens of issues

    but this is crazy!

    one pound sweets
    July 16, 2021
  64. After the upgrade to 5.5.1 follows the problem, I don’t see the products. What can you do?

    interpatrimonio
    July 16, 2021
  65. This destroyed my server. My host and I have been troubleshooting for over 24 hours. This turfed my server so bad that I can’t even restore from backup. If I find a way to restore my backup, I’ll be staying on the vulnerable edition and blocking the vulnerability with my WAF.

    I’m a reseller host, and my host is on google. My support department is working with my hosts support department who are working together with google support. This update for the critical vulnerability unleashes several hard to stop processes that just hang the server.

    tbaytkadmin1
    July 17, 2021
    • Do you have any info yet on how we can safely block this vulnerability via WAF?

      ElZeddo
      July 18, 2021
  66. Hi

    Naveed
    July 17, 2021
  67. I have woocommerce 5.4.1 install… I update it multiple time but everytime it creates issue and slow down my side…

    Naveed
    July 17, 2021
    • Hi Naveed,

      Which version are you trying to upgrade to?

      We’re aware of an issue in 5.5.1 which is causing some sites to slow down. The team is actively working on this, and in the meantime are recommending updating to 5.4.2 instead.

      As 5.4.1 does not contain the security patch, it’s really important that you update it to one of the patched versions listed above.

      If you continue to experience issues with updating, please contact our support team directly: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 17, 2021
  68. I’ve been informed by one of clients that their “Orders” section is painfully slow. We have gone in to look. everything else works fine. Loading an order takes a long time.

    Chas
    July 17, 2021
    • Hi Chas,

      Thanks for letting us know, and we’re sorry to hear that’s happening!

      If you’re using WooCommerce 5.5.1, there is a known issue that is causing some sites to slow down. The team is actively working on a fix now, but in the meantime rolling back to version 5.4.2 would resolve the issue.

      If this is occurring with a different version of WooCommerce, please contact our team of Happiness Engineers directly so that they can investigate: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 19, 2021
  69. We updated as soon as we got the email and have been experiecing issues since.
    When trying to process orders it just spins until we get a 504 Timeout error although it does normally update the order this is very time consuming. this also happens in other areas of the backend on the website.
    Is there a suggested solution for this?
    We currently have Developer Support looking into this and our Hosting provider also.
    Thank You for your help
    Jarrod

    Jarrod
    July 18, 2021
    • Maybe you hit this bug: https://github.com/woocommerce/woocommerce-admin/issues/7358

      Christos Chatzaras
      July 18, 2021
    • Hi Jarrod,

      We’re sorry to hear that’s happening!

      If you’re using WooCommerce version 5.5.1, there is a known issue that is slowing some stores down. The team is working on a fix for this right now, and the recommended solution, for the time being, is to roll back to version 5.4.2.

      If this issue is occurring on any other version of WooCommerce, please contact our team of Happiness Engineers who’ll be able to investigate for you: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 19, 2021
      • My products sell out, but product quantities not changing to zero – I went in and manually changed to zero and an hour later, someone bought one of the sold out products!! I’m monitoring and last few sold out have worked properly so perhaps coincidental?? Please advise if I need to do something.

        Janet
        July 19, 2021
        • Hi Janet,

          How strange! This doesn’t sound like it’s connected to this issue, but I’d recommend getting in touch with our team of Happiness Engineers anyway: https://woocommerce.com/my-account/create-a-ticket/

          They’ll be able to take a closer look and provide some advice.

          Thanks,

          Laura

          Laura Nelson
          July 20, 2021
  70. What _I_ need to know is if this only affects WooCommerce installations WITH Gutenberg. Cause ClassicPress obviously aint got that 🙂

    So a proper link to the bug report inside the article would be nice, instead of a rather bothersome “just update, you dont understand anything anyway”.

    cu, w0lf.

    fwolf
    July 19, 2021
    • Hi there,

      This affects WooCommerce versions 3.3 – 5.5, regardless of whether you’re using Gutenberg or Classic Press. It’s therefore really important that you upgrade to the patched version in your release branch.

      The team is still investigating this issue and we will release more details as soon as we’re able to do so.

      Laura

      Laura Nelson
      July 19, 2021
  71. My site now reports the dreaded 500 error and I am looking to rolling any changes back

    Could you confirm if there was there a forced update and at what date/time and was it to a file within the woocommmerce folder(s) or was it a database update.

    Thanks
    Mike Webb

    Mike Webb
    July 19, 2021
    • Hi Mike,

      On July 14, WordPress.org rolled out an automatic security update to websites running versions of WooCommerce that had been identified as being affected by a critical vulnerability. I’m afraid we’re unable to identify the exact time this happened, but you can check whether you’re running a patched version of WooCommerce using the table in the blog post.

      If you are manually re-installing the WooCommerce and/or WooCommerce blocks plugins, we do recommend that you install the latest version within the release branch you had on your site prior to the update. So for instance, if you had WooCommerce 5.4.1, then you would want to install 5.4.2. You can find all the relevant versions in the table listed in the above post.

      If you continue to experience problems, please do reach out to our team of Happiness Engineers who will be able to assist you: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      July 19, 2021
  72. Hi

    I have a client with a mothballed Woocommerce site version 3.0.7 which is currently activated but not used ie used for historical reference only and as such there requiredmentt for an updated version at this stage.

    Understand deactivating reduces the risk but the leading question is:

    Is this version vulnerable?

    Thanks
    Stuart

    Stumac
    July 19, 2021
    • Apologies!

      and as such there requiredmentt for an updated version at this stage.

      should read:

      and as such there is no requirement for an updated version at this stage.

      stumac
      July 19, 2021
      • Hi Stumac,

        WooCommerce 3.0.7 is not one of the affected versions, so no action is required here.

        Thanks,

        Laura

        Laura Nelson
        July 19, 2021
  73. We received this SQL query, does it have something to do with the vulnerability?

    SELECT COUNT( DISTINCT posts.ID ) as term_count, terms.term_id as term_count_id
    FROM wp_posts AS posts
    INNER JOIN wp_term_relationships AS term_relationships ON posts.ID = term_relationships.object_id
    INNER JOIN wp_term_taxonomy AS term_taxonomy USING( term_taxonomy_id )
    INNER JOIN wp_terms AS terms USING( term_id )
    WHERE posts.ID IN ( SELECT wp_posts.ID FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘product’ AND ((wp_posts.post_status = ‘publish’)) ORDER BY wp_posts.post_date DESC, wp_posts.ID DESC )
    AND term_taxonomy.taxonomy IN (“abc”) or if(1=length(version()),1,sleep(5))#”)
    GROUP BY terms.term_id

    mario
    July 19, 2021
  74. Is there any more information available regarding this vulnerability? We’re up to date with updates and have reset passwords as a precaution, but I’m wondering if there are clear signs we should be on the lookout for which might indicate an actual security breach on the local level?

    When can we expect WC to issue updated information?

    Kelli
    July 19, 2021
    • Hi Kelli,

      Our original post, above, has now been updated with details on how you can check if you were impacted by this, along with details of other protective measures you can take.

      Thanks,

      Laura

      Laura Nelson
      July 22, 2021
  75. Since last week and the WooCommerce update, I have now upgraded WordPress to 5.7.2 and PHP to 7.4 and my site is fine as long as I don’t activate the WooCommerce plugin.

    I am running Woocommerce 3.6.5 and have also tried upgrading to 3.6.6 but am getting message “Server Error 500 – Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.”

    Are you able to assist, can I get more info on this problems

    thanks

    Mike Webb

    Mike Webb
    July 20, 2021
  76. HOLA,

    EN MI WEB SALEN DOS FALLOS CRITICOS DE SALUD DESPUES DE VUESTRA VULNERABILIDAD E INTENTADO ABRIR UN TICKET EN SOPORTE PERO NO ME DEJA.

    SI DESACTIVO VUESTRO PLUGIN EL ERROR SE CORRIGE.

    1 / SE HA DETECTADO UNA SESION PHP ABIERTA.

    Se ha creado una sesión PHP por la llamada a la función session_start(). Esto interfiere con la API REST y las solicitudes de retorno. La sesión debería ser cerrada por session_write_close() antes de hacer cualquier solicitud HTTP.

    2 / LA API REST HA ENCONTRADO UN ERROR

    La API REST es una forma en que WordPress y otras aplicaciones se comunican con el servidor. Un ejemplo es la pantalla del editor de bloques, que se basa en esto para mostrar y guardar tus publicaciones y páginas.

    Ha fallado la solicitud a la API REST debido a un error.
    Error: cURL error 28: Operation timed out after 10000 milliseconds with 0 bytes received (http_request_failed)

    ALGUNA SOLUCIÓN?

    MUCHAS GRACIAS.

    samuelmn86gmailcom
    July 20, 2021
    • Hello,

      Thanks for reaching out, and I’m sorry to hear you’re experiencing issues!

      On the surface, these issues do not look like they’re related to the vulnerability issue detailed in this post. Have you been able to update to the latest version of WooCommerce in your release branch, despite these errors?

      If you’re unable to open a support ticket, the best place to report this issue and seek assistance would be the WooCommerce Support Forum: https://wordpress.org/support/plugin/woocommerce/

      Thanks,

      Laura

      Laura Nelson
      July 20, 2021
  77. Laura

    Thanks for your assistance so far. I have now been able to activate WooCommerce Version 3.6.5 but am unable to update it to the require version, 3.6.6.

    This may be due to my web host, are you able to email me a zipped version of V3.6.6 as I can no longer download it from your site?

    Thanks

    Mike Webb

    Mike Webb
    July 20, 2021
    • Hi Mike,

      You’re welcome!

      A zipped version of WooCommerce 3.6.6 is available via this link: https://developer.woocommerce.com/releases/

      If you’re having issues downloading this or updating further, please do seek assistance from our dedicated support team: https://woocommerce.com/my-account/create-a-ticket/

      They’ll be in the best position to support you with this issue.

      Thanks,

      Laura

      Laura Nelson
      July 20, 2021
      • Laura

        To manually install the plug-in, can I just simply empty my existing woocommerce folder and replace with the contents of this zip file? Will it keep all my settings and products and orders?

        Mike

        Mike Webb
        July 20, 2021
        • Hi Mike,

          Uploading a .zip file to update a plugin that’s already present is a functionality that was added in WordPress 5.5, so for older versions, you’ll need to do the following:

          You can delete WooCommerce and then upload version 3.6.5. The WooCommerce data and settings are stored in your database and not in the plugin files, so your settings, products, and orders should all stay in place. That said, it’s always a good idea to first make a backup.

          Thanks,

          Laura

          Laura Nelson
          July 21, 2021
  78. Thank you for warning and patching so quickly. After Upgrading to 5.1.1, the warning message remains. Is that intended?

    Matt
    July 21, 2021
    • Hi Matt,

      Thanks for letting us know – I don’t believe that is intended. I’ve passed this on to the team!

      Cheers,

      Laura

      Laura Nelson
      July 21, 2021
    • Hi again Matt,

      I’ve just checked with the team, and they mentioned that you could still be seeing this message because you have an unpatched version of WooCommerce Blocks installed.

      Would you be able to check whether you’re also running this plugin, and if so, ensure that it’s updated to use one of the versions of WooCommerce Blocks listed in the table above, please?

      Thanks,

      Laura

      Laura Nelson
      July 21, 2021
  79. Can someone let me know if this “vulnerability” is related to the huge numbers of fake orders we have had over the past few days?

    Is that what the issue was causing?

    We have updated to the latest versions of WordPress and Woo-Commerce but the problem has persisted.

    We have taken the general anti-spam precautions in settings, have Capthcha installed and Wordfence – but we are still having this problem – always with Handepay orders.

    Can anyone advise?

    Many thanks

    Greg Eden (JPC Direct)

    Greg Eden
    July 21, 2021
    • Hi Greg,

      I’m so sorry to hear you’re experiencing a high volume of fake orders – that must be really frustrating.

      On the surface, it doesn’t sound like this would be related to the vulnerability issue, but I’d recommend getting in touch with our support team so that they can take a closer look: https://woocommerce.com/my-account/create-a-ticket/

      If the common theme is Handepay orders, it would also be worth reaching out to Handepay directly to see if they have any insight on this.

      Thanks,

      Laura

      Laura Nelson
      July 21, 2021
    • I am also experiencing many fake orders since the patch – any ideas? Nick

      Nick Allen
      July 27, 2021
  80. Hi,
    I am running Woocommerce plugin version 5.4.2 and Woocommerce Blocks version 5.3.2

    Can I use the manual update for both and update them directly to version 5.5.1 for both plugins without being in the riskzone?

    Regards
    Amir

    Amir
    July 21, 2021
    • Hi Amir,

      WooCommerce 5.4.2 and WooCommerce Blocks 5.3.2 are both updated versions that contain the security patch, so you’re already covered 🙂

      If you’d like to upgrade to version 5.5.1 anyway, we’d recommend following the instructions on this page: https://docs.woocommerce.com/document/how-to-update-woocommerce/ to make sure you don’t run into any issues while doing so.

      Cheers,

      Laura

      Laura Nelson
      July 21, 2021
      • One question please, i update woocommerce 5.5.2 now not working wishlist page i have YITH plugin for wihlist, and im interesting too it is important? That i immediately change payment method s API KAYS?

        Gizo
        July 25, 2021
  81. Please tell me , is this important that upgrade my payment plugins api kays? My website not broken and good working now, i update woocommerce 5.5.2 version

    Gizo
    July 25, 2021
    • Hi Gizo,

      We do recommend changing any private or secret data stored in your WordPress/WooCommerce database – this may include API keys, public/private keys for payment gateways, and more, depending on your particular store configuration.

      More information about this can be found in the blog post above.

      Thanks,

      Laura

      Laura
      July 26, 2021
  82. Hi. My site are up to date, however yesterday in the access logs I notice the first ip you are mention here in this article – 137.116.119.175

    137.116.119.175 ***************.com – [25/Jul/2021:10:36:56 +0000] “GET / HTTP/1.1” 200 88 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36” | – | – – 0.001 – 0 NC:000000 UP:-

    So now I wonder, if this was fix, how is possible the address still to be in access logs and do we need to do something? Block the ip maybe?

    Nenad
    July 26, 2021
    • Hi Nenad,

      If your website is using the most recent version of WooCommerce or one of the patched versions listed above, then no data would’ve been leaked because of this vulnerability – even if there are requests from malicious IPs.

      The patch rolled out by us does not block the IP, but fixes the underlying vulnerability.

      For peace of mind, you can block all of the IPs in the list above.

      Thanks,

      Laura

      Laura Nelson
      July 27, 2021
      • Thank for your kind replay

        Nenad
        July 27, 2021
  83. Hi,
    Please tell me , is this important that upgrade because Our site WordPress version is 5.4. I have used Woocommerce plugin that version is 3.9.0. I have tried to upgrade woocommerce version but wordpress version is not supported. so i need to upgrade wordpress version. but dont want to upgrade wordpress version and i want to upgrade woocommerce version only. if there are any other option without upgrading the wordpress version then Please help me.

    vasuki4769
    July 28, 2021
    • Hello!

      Yes, it is very important that you update WooCommerce to a patched version as soon as possible.

      Patches have been released for versions 3.3 – 5.5, so instead of going straight from 3.9.0 to 5.5.2, you can upgrade to 3.9.4. This would eliminate the need to upgrade your WordPress version. If you’re still having difficulties, you can manually download the zip file for this version here: https://developer.woocommerce.com/releases/

      That being said, if you are using WordPress 5.4.0, this is an insecure version of WordPress, and at a minimum, should be updated to version 5.4.2. More details here: https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

      Thanks,

      Laura

      Laura Nelson
      July 29, 2021
  84. i am running woocommerce version 3.2.1 and wordpress version 4.7.21.to which woocommerce version should i update?

    Jaina Sunny
    July 30, 2021
    • i am running woocommerce version 3.1.2 and wordpress version 4.7.21.to which woocommerce version should i update? i had updated to woocommerce 3.3.6.Is that okay?

      Jaina Sunny
      July 31, 2021
      • Hi Jaina,

        WooCommerce 3.1.2 was not an affected version, and 3.3.6 is a patched version, so either is safe to continue using.

        That being said, both are very old versions of WooCommerce, and we do recommend working towards updating to the latest version. More information on how to do this safely can be found here: https://docs.woocommerce.com/document/how-to-update-woocommerce/.

        Thanks,

        Laura

        Laura Nelson
        August 3, 2021
  85. Hi Laura Nelson,

    Thank you for your response. Sure I will try it.

    vasuki4769
    July 30, 2021
    • I posted here earlier but I do not see it. I am running the most recent version of wordpress and woocommerce. My website is shutting down, coming back up repeatedly. Can you please advise us what to do to fix this issue? Thanks

      Judy Wolinsky
      August 2, 2021
      • Hi Judy,

        If you’re experiencing issues with WooCommerce 5.5.2, the best place to seek help would be with our support team.

        Please raise a ticket with them via this link: https://woocommerce.com/my-account/create-a-ticket/

        Thanks,

        Laura

        Laura Nelson
        August 3, 2021
  86. It’s been sometime now since this issue was discovered. Do we have any update on which sites were compromised and if so what data etc?

    Many thanks

    Ollie
    August 3, 2021
  87. Anybody experienced product checkout process issues? We are having issue with product total. Subtotal seems ok but total will be zero. Also its not updating customer shipping info in order details.

    Tried different them, removing WooCommerce tables and installing plugin again etc. nothing seems to work

    Tinku Tharasing
    August 3, 2021
  88. A new administrator account has been created on one of the domains on which woocommerce is installed. A new file was also automatically created each time it was deleted. I send the content of the file in pastebin – pastebin[dot]pl/view/c22ec65a. Disabling woocommerce stopped the automatic creation of the unwanted file

    Gregorio
    August 4, 2021
  89. Hello – I am on 4.8.0 – this would be the latest patched version for my ‘branch” – correct? Do I still need to update to 5.5.1? I am worry about that, It had be create problem for our website if we update! please guide me! Thanks.

    Ridhwan
    August 5, 2021
    • Hi Ridhwan,

      4.8.0 is not an updated version of WooCommerce, so you will need to upgrade to a patched version ASAP.

      You don’t need to jump straight to 5.5.1, there’s a patched version in your release branch (4.8.1) that you can update to instead.

      A full list of patched versions has been included in the blog post above, please make sure you update to one of those as soon as you can.

      Thanks,

      Laura

      Laura Nelson
      August 5, 2021
  90. For the love of Gooooooood, i was criptonited XD my website broken, and now more with my ex girlfriend, a perfect day. now i cant update, and 500 internal server error, dude i need a miracle, im done for a few hours, something its in my db, i cant log, phpmyadmin do not log, deleting the plugin woocomerce i could login in my wp-admin again, but now broken again, my ex girlfriend not calling me too, wth, i need a rest.. zzzzzzz i back in 12h , plz fix this awesome tool, we need a solution

    SUPERMAN
    August 7, 2021
    • Hi there,

      We’re really sorry to hear this!

      If you’re still experiencing problems, I’m sure our support team will be able to help you figure out what’s going on. You can raise a ticket via this link: https://woocommerce.com/my-account/create-a-ticket/

      It may also be worth contacting your hosting provider’s support as well just in case the issue is on their end.

      Thanks,

      Laura

      Laura Nelson
      August 9, 2021
  91. gracias a todos por notificar.

    Adrián
    August 7, 2021
  92. We have been locked out of out of our site. No matter what time of day we try to sign out we get a notice saving there has been too many attempts to log on. Can some please help us. this has been since the updates.

    Joan
    August 13, 2021
    • Hi Joan,

      I’m really sorry to hear you’re experiencing issues with logging in!

      To get help with this, please contact our support team directly via this link: https://woocommerce.com/my-account/create-a-ticket/

      Thanks,

      Laura

      Laura Nelson
      August 16, 2021
  93. I am on 3.5.9 and can’t upgrade. No problem, just download the patched version of 3.5.9 and manually update, right?

    I unzipped the patched version and did a unix diff -qr against what I already have in my plugin/woocommerce dir. The only difference found is three image files:(new in the patch)
    woocommerce/assets/images/eway-logo.jpg
    woocommerce/assets/images/storefront-bg.jpg
    woocommerce/assets/images/wcs-canada-post-logo.jpg

    So there’s no code difference in the patch vs what I have? Do I need to copy those image over to my production area? THANKS!

    WhatAmIMissing
    August 13, 2021
    • Hi there,

      WooCommerce 3.5.9 is already a patched version, so there’s no need to manually update! If you didn’t manually update to 3.5.9 yourself, it’s likely your website was included in the automatic security update we rolled out last month.

      Thanks,

      Laura

      Laura Nelson
      August 16, 2021

Stay up to date with WooCommerce emails

View our privacy policy. You can unsubscribe anytime.

Subscribing...

There was an error subscribing; please try again later.

Thanks for subscribing!
Emails will be sent to

View our privacy policy. You can unsubscribe anytime.

You're already subscribed!
Emails are sent to

View our privacy policy. You can unsubscribe anytime.

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.