WooCommerce Detects Crucial Vulnerability on July 13, 2021. What You Want To Know

A important vulnerability in WooCommerce was found and disclosed responsibly by safety researcher Josh through our HackerOne security software.

Our workforce was instantly alerted to the issue and performed an in depth investigation. We additionally audited all codebases associated to the problem. A patch was created to deal with the problem for each affected model (90+ releases), which was routinely deployed to the susceptible shops.

What actions ought to I take if I personal a WooCommerce store?

On July 14, 2021 automated software program updates for WooCommerce 5.5.1 began rolling out to all shops which have impacted variations of the plugins. Nonetheless, we suggest that you just all the time guarantee you’re utilizing the newest model. This 5.5.2* HTML5_ or the most up-to-date model in your branch. You also needs to be operating WooCommerce Blocks model 5.5.1.


We suggest that you just additionally replace to a patched copy after updating.

  • Replace passwords for all Admin customers of your web site, particularly in the event that they use the identical passwords throughout a number of web sites.
  • Rotating any WooCommerce and Fee Gateway API keys in your web site.

These steps are described in additional element beneath.

* WooCommerce 5.5.2 was printed on July 23, 2021. These fixes usually are not associated to the safety vulnerability.

How can I inform if my model has been up to date?

Under is the whole checklist of patches for WooCommerce Blocks and WooCommerce Commerce Blocks. In case your model of WooCommerce/WooCommerce Blocks will not be listed, please improve instantly to the newest model out of your department.

WooCommerce variations Patched WooCommerce blocks variations
3.3.6 2.5.16
3.4.8 2.6.2
3.5.9 2.7.2
3.6.6 2.8.1
3.7.2 2.9.1
3.8.2 3.0.1
3.9.4 3.1.1
4.0.2 3.2.1
4.1.2 3.3.1
4.2.3 3.4.1
4.3.4 3.5.1
4.4.2 3.6.1
4.5.3 3.7.2
4.6.3 3.8.1
4.7.2 3.9.1
4.8.1 4.0.1
4.9.3 4.1.1
5.0.1 4.2.1
5.1.1 4.3.1
5.2.3 4.4.3
5.3.1 4.5.3
5.4.2 4.6.1
5.5.1 4.7.1
5.5.2 4.8.1

Why did my web site not get an automated replace?

There are a number of the reason why your web site may not have routinely up to date. A few of these embody: your web site is operating an older model (beneath WooCommerce 3.3), automated updates have been disabled in your web site, the filesystem is read-only or you’ve got doubtlessly conflicting extensions which might be stopping the replace.

Aside from the primary, through which you aren’t affected by the patch, you need to manually replace to the newest model of your launch department (e.g. 5.5.2, 5.4.2 and 5.3.1, respectively, as proven within the desk.

Study extra:

See also  New Applied sciences Rework Transportation Administration

Is there any proof of knowledge being compromised?

We consider that any exploit is proscribed based mostly on present proof.

The uncovered data for a retailer shall be particular to the data that it shops, however may additionally embody buyer and order data.

How do I discover out if my retailer has been exploited?

There isn’t a strategy to affirm an exploit as a result of vulnerability and the versatile approach WordPress (and WooCommerce) handles net requests. You would possibly have the opportunity detect exploit makes an attempt by taking a look at your net server’s logs or asking your net host for help. Requests in these codecs between December 2019 and now are prone to point out an try at exploit.

  • REQUEST_URI matching common expression //wp-json/wc/retailer/merchandise/collection-data.*%25252. */
  • REQUEST_URI matching common expression /.*/wc/retailer/merchandise/collection-data.*%25252. */
  • Any non-GET (POST or PUT) request to /wp-json/wc/retailer/merchandise/collection-data or /?rest_route=/wc/retailer/merchandise/collection-data

We’ve noticed requests that exploit this vulnerability coming from these IP addresses. Over 98% of them are from the primary on the checklist. These IP addresses are prone to be exploited when you take a look at your entry logs.


What passwords ought to I alter?

Your password is hashed so it is unlikely your password was compromised.

WordPress passwords are hashed with salts. This makes it very troublesome to crack the hash worth. This salted hash methodology protects your admin password and all passwords in your web site, clients included. Though it’s doable that the hashed password in your database was accessed by this vulnerability, the hash shouldn’t be discernible. It will nonetheless defend your passwords towards unauthorized use.

This assumes your web site makes use of the usual WordPress password administration system for customers. You could retailer passwords and different delicate data in much less safe locations relying on which plugins have been put in.

We suggest that Directors who might need used the identical passwords throughout a number of web sites in your web site replace their passwords to keep away from any doable compromise.

We additionally suggest altering any personal or secret information saved in your WordPress/WooCommerce database. This might embody API keys, public/personal keys to fee gateways, and different information relying on the configuration of your retailer.

Ought to we notify our WooCommerce retailers as an extension developer?

We encourage you to speak with WooCommerce retailers and shops that you just take care of to allow them to know concerning the problem and replace their retailer to be safe.

We encourage retailers to reset their keys to hook up with any extension you’ve got constructed or a SaaS product that makes use of the WooCommerce API.

Ought to I notify my clients as a retailer proprietor?

It’s as much as you whether or not you notify your clients. Your obligations to inform your clients and reset passwords will depend upon many elements, together with your web site infrastructure, your clients’ geographical places, the information you gather, and whether or not your web site has been compromised.

Defending your clients’ information is crucial factor you are able to do. Make sure that to improve your WooCommerce model to repair this vulnerability.

After updating, we suggest:

  • Replace the passwords of Administrator customers in your web site, particularly once you use the identical passwords throughout a number of web sites
  • Rotating any WooCommerce and Fee Gateway API keys in your web site.

It’s as much as you, the shop proprietor, to resolve whether or not extra safety measures are mandatory. WordPress and WooCommerce person passwords are hashed with salts. This makes it very troublesome to crack the hash worth. This salted hash methodology is used for all passwords in your web site, even these of your clients.

Is WooCommerce nonetheless protected?


Though incidents like these are uncommon, they do occur. We are going to all the time reply shortly and work with full transparency.

The workforce labored tirelessly since studying concerning the vulnerability and making certain that our customers have been knowledgeable.

We proceed to spend money on platform safety to keep away from the vast majority of issues. Nonetheless, in uncommon cases that might affect shops, we work with the WooCommerce Neighborhood to speak successfully, repair the issue shortly and work collectively to unravel them.

Cloud POS

Cloud POS software for your retail store. Cloudbasepos.com is a powerful cloud-based POS to sell your products in-store & on-the-go using any device, for any outlet.