WooCommerce announced they have patched a critical vulnerability affecting millions of users. Publishers using the WooCommerce plugin or the WooCommerce Blocks plugin are strongly urged to update their plugins if they have not already automatically updated.
WooCommerce Forced Automatic Update
The vulnerability known as a SQL Injection Vulnerability is so severe that WooCommerce is pushing the update automatically to affected publishers.
Although the updates are automatic, some publishers are reporting that some of their sites did not receive the update yet.
So it’s important to check and manually update if the site has not yet updated to the highest version of your WooCommerce version branch.
WooCommerce SQL Injection Vulnerability
In general, a SQL Injection is a vulnerability that allows an malicious hacker to affect the database in a way that makes it display information or behave differently in ways it’s not supposed to, like in general, as an example, of being able to manipulate the database into revealing a password.
According to WooCommerce:
“If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.”
The announcement by WordFence noted that this is a Blind SQL Injection vulnerability.
WordFence explained the impact:
“This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.
The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch.”
Have WooCommerce Sites Been Compromised?
There is currently no evidence of a widespread attacks compromising WooCommerce sites.
“Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.”
WooCommerce Software Version Branches
What is meant by the version branch is the number associated with the version a publisher is using.
A publisher can be using a very old version 3.x, a version 4.x and the latest version 5.x. Each of those versions, 3, 4 and 5 are considered a branch.
WooCommerce versions 4.x and 5.x are called branches of the software and version 5 is considered a major step up from version 4.
Some publishers may find it disruptive to update from version 4.x to 5.x.
To accommodate those publishers, WooCommerce released a patch that closes the vulnerability for each branch.
So if a site has WooCommerce version 4.x, they are encouraged to update to at least version 4.8.1, which is the very latest version of the 4.x WooCommerce branch.
Nevertheless, although the latest version of older branches are patched, the official announcement recommends updating to the very latest version of WooCommerce, currently version 5.5.1.
The announcement noted:
“…we still highly recommend you ensure that you’re using the latest versions of WooCommerce and WooCommerce Blocks (5.5.1).”
That statement may have inadvertently caused a little confusion as to how far up the version branch publishers should update.
Some publishers were wondering that if they’re using version 4.x, if it’s safe or should they update to the latest version of the highest branch in WooCommerce, currently version 5.5.1?
That’s what someone asked in the comments section of the official announcement:
“Is the Woocommerce Version 4.8.1. safe now or not?”
Someone from WooCommerce answered with the following statement:
“As this critical vulnerability concerns the WooCommerce plugin, we highly recommend ensuring this is up to date first.
The version you mention, 4.8.1, contains the security patch so there’s nothing else you need to do here until you’re ready to update to the latest version (5.5.1).”
Official WooCommerce Announcement
Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know
WordFence Report and Analysis of the Vulnerability
Critical SQL Injection Vulnerability Patched in WooCommerce