On July 14, 2021, WooCommerce announced that their security researchers detected a critical vulnerability that could affect millions of users.
Based on that they urged publishers using the WooCommerce plugin or the WooCommerce Blocks plugin to update the plugins if this has not been done automatically.
What was the vulnerability about?
The vulnerability found is known as a SQL Injection. This is a kind of severe vulnerability that WooCommerce tried to push update automatically to concerned publishers.
A warning was issued to ask publishers to check manually for updates as some have reported that this was not done automatically.
Have WooCommerce Sites been Compromised in anyway?
No evidence of a widespread attack has been found that could compromise Websites using the plugin according to WordFence (1).
As stated by WordFence:
“While the original researcher has indicated that this vulnerability has been exploited in the wild, Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted”.
What is exactly a SQL Injection?
A SQL Injection is a vulnerability that gives a malicious hacker way to gain control of the database makes it display stored data such as email, username and passwords.
According to WooCommerce developers, affected stores (if there are) could see information about the site administration being displayed but could also those about orders and customers.
How do I know if my WooCommerce version is safe?
WooCommerce has released a list of version branches on its website (2) to allow publisher to check if there is a need to worry or not. In general, the advice they give is to update to the latest version.
Bring Home Advice
If you are running any plugin or theme on WordPress, it is always a good practice to check for update and if necessary, update to the latest version of what you are using.
In most cases, with the current version of WordPress (5.7.2), plugins and theme update may happen automatically if set to do so. Note that the current WooCommerce version is 5.5.1
One thought on “What to know about the recent WooCommerce vulnerability?”