WooCommerce mandates security update after critical vulnerability was detected

WooCommerce Storefront
(Image credit: WooCommerce)

Free WordPress open source plugin WooCommerce has created a patch fix for a critical vulnerability that was identified on July 13, 2021 through the company's HackerOne security program.

The company found that the vulnerability affected the WooCommerce plugin versions 3.3 to 5.5, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin.

WooCommerce says it began conducting an investigation, audited all related codebases, and deployed an automatic patch fix to all stores that were affected.

In a security update blog post, WooCommerce said: "Automatic software updates are rolling out now to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1." 

Data compromised 

It is still unclear whether the data of those affected had been compromised, although WooCommerce has said it will be sharing more information with site owners on how to investigate this particular security vulnerability on their websites, as and when the information becomes available.

If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information, WooCommerce revealed.

In an email, WooCommerce informed online store owners that stores hosted on WordPress.com and WordPress VIP had already been secured. 

WooCommerce provided the patch to WordPress.org, with automatic software updates still in the roll out process. This will be for the security of all stores running on impacted versions of each plugin.

The company is still working with the WordPress.org Plugin Team to automatically update as many stores as possible to "secure versions of WooCommerce".

It has also been advised that after installing the patched version, online store owners should update their passwords.

Via WP Tavern

Abigail Opiah
B2B Editor - Web hosting & Website builders

Abigail is a B2B Editor that specializes in web hosting and website builder news, features and reviews at TechRadar Pro. She has been a B2B journalist for more than five years covering a wide range of topics in the technology sector from colocation and cloud to data centers and telecommunications. As a B2B web hosting and website builder editor, Abigail also writes how-to guides and deals for the sector, keeping up to date with the latest trends in the hosting industry. Abigail is also extremely keen on commissioning contributed content from experts in the web hosting and website builder field.