Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know

Last Updated: July 23, 2021

On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.

Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.

I have a WooCommerce store – what actions should I take?

Automatic software updates to WooCommerce 5.5.1 began rolling out on July 14, 2021, to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.2* or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1 of that plugin.

Important: With the release of WooCommerce 5.5.2 on July 23, 2021, the auto-update process mentioned above has been discontinued.

After updating to a patched version, we also recommend:

  • Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

There’s more information about these steps below.

* WooCommerce 5.5.2 was released on July 23, 2021. The fixes contained in this version are unrelated to the recent security vulnerability.

How do I know if my version is up-to-date?

The table below contains the full list of patched versions for both WooCommerce and WooCommerce Blocks. If you are running a version of WooCommerce or WooCommerce Blocks that is not on this list, please update immediately to the highest version in your release branch.

Patched WooCommerce versionsPatched WooCommerce Blocks versions
3.3.62.5.16
3.4.82.6.2
3.5.92.7.2
3.6.62.8.1
3.7.22.9.1
3.8.23.0.1
3.9.43.1.1
4.0.23.2.1
4.1.23.3.1
4.2.33.4.1
4.3.43.5.1
4.4.23.6.1
4.5.33.7.2
4.6.33.8.1
4.7.23.9.1
4.8.14.0.1
4.9.34.1.1
5.0.14.2.1
5.1.14.3.1
5.2.34.4.3
5.3.14.5.3
5.4.24.6.1
5.5.14.7.1
5.5.24.8.1
4.9.2
5.0.1
5.1.1
5.2.1
5.3.2
5.4.1
5.5.1

Why didn’t my website get the automatic update?

Your site may not have automatically updated for a number of reasons, a few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 3.3), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 5.5.2, 5.4.2, 5.3.1, etc), as listed in the table above.

Has any data been compromised?

Based on the current available evidence we believe any exploit was limited.

If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

How can I check if my store was exploited?

Due to the nature of this vulnerability, and the extremely flexible way that WordPress (and thus WooCommerce) allows web requests to be handled, there is no definitive way of confirming an exploit. You may be able to detect some exploit attempts by reviewing your web server’s access logs (or getting help from your web host to do so). Requests in the following formats seen between December 2019 and now likely indicate an attempted exploit:

  • REQUEST_URI matching regular expression //wp-json/wc/store/products/collection-data.*%25252.*/
  • REQUEST_URI matching regular expression /.*/wc/store/products/collection-data.*%25252.*/ (note that this expression is not efficient/is slow to run in most logging environments)
  • Any non-GET (POST or PUT) request to /wp-json/wc/store/products/collection-data or /?rest_route=/wc/store/products/collection-data

Requests that we have seen exploiting this vulnerability come from the following IP addresses, with over 98% coming from the first in the list. If you see any of these IP addresses in your access logs, you should assume the vulnerability was being exploited:

  • 137.116.119.175
  • 162.158.78.41
  • 103.233.135.21

Which passwords do I need to change?

It’s unlikely that your password was compromised as it is hashed. 

WordPress user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach protects your password as an admin user, and also the passwords of any other users on your site, including customers. While it is possible the hashed version of your password stored in your database may have been accessed through this vulnerability, the hash value should be indiscernible and still protect your passwords from unauthorized use.

This assumes that your site is using the standard WordPress password management for users.  Depending on the plugins you’ve installed on your site you may have passwords or other sensitive information stored in less secure ways.

If any of the Administrator users on your site might have reused the same passwords on multiple websites we recommend you update those passwords in case their credentials have been compromised elsewhere. 

We also recommend changing any private or secret data stored in your WordPress/WooCommerce database. This may include API keys, public/private keys for payment gateways and more, depending on your particular store configuration.

As an extension developer or service provider, should we alert our WooCommerce merchants?

If you work with any live WooCommerce store or merchant, we encourage you to work with them to make sure they know about this issue, and/or update their store to a secure version.

If you have built an extension or offer a SaaS service that relies on the WooCommerce API, we encourage you to help merchants reset the keys to connect to your service. 

As a store owner, should I alert my customers? 

Whether you alert your customers is ultimately up to you. Your obligations to notify customers or reset things like passwords will vary depending on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised. 

The most important action you can take to protect your customers is to update your version of WooCommerce to a version that has been patched with a fix for this vulnerability. 

After updating, we recommend:

  • Updating the passwords for any Administrator users on your site, especially if you reuse the same passwords on multiple websites 
  • Rotating any Payment Gateway and WooCommerce API keys used on your site.

As the store owner it is ultimately your decision whether you want to take additional precautions such as resetting your customers’ passwords. WordPress (and thus WooCommerce) user passwords are hashed using salts, which means the resulting hash value is very difficult to crack. This salted hash approach is applied to all user passwords on your site, including your customers’ passwords.

Is WooCommerce still safe to use?

Yes.

Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency. 

Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed. 

Our continued investment in platform security allows us to prevent the vast majority of issues – but in the rare cases that could potentially impact stores, we strive to fix quickly, communicate proactively, and work collaboratively with the WooCommerce Community.

What if I still have questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

Previous Post
Top Ten Tools to Help You Make the Most of Black Friday and Cyber Monday
Next Post
Syncing cPanel® Calendar, Contacts and Email with ActiveSync

Get Online Today!

  

Your perfect domain name is waiting!

Search our huge portfolio for more domain name extensions and pricing below
domain name extensions

Classic Domain Names

.COM | .AU | .CO | .NET | .BIZ | .ME | .EU | .ASIA | .TV | .MOBI | .NAME | .INFO | .ORG | .US | .NL| .FM | .HK | .ES | .CO.NZ | .DE | .CO.UK | .RU | .IM | .PM | .TW | .FR | .CN | .CA | .CH | .VN | .PL | .IL | .JP | .KR |