As a result of the vulnerability, the forced update for WordPress has been announced by WooCommerce. Publishers urged to make sure their updates are up-to-date. Millions of users are affected by a critical vulnerability that has been patched by WooCommerce. Publishers who use the WooCommerce plugin or the WooCommerce Blocks plugin are strongly instructed to update their plugins as soon as possible.
Automated updates forced by WooCommerce
WooCommerce is immediately rolling out fixes to impacted publishers due to the severity of the SQL Injection issue. Some publishers report that their sites have not yet been updated, even though the updates are automatic. Therefore, it’s very important to check and manually update the site if it has not updated to the latest version of your WooCommerce branch.
Vulnerability in WooCommerce SQL injection
A SQL Injection vulnerability provides the possibility for a malicious hacker to affect the database in a way that impacts how it displays information or behaves in ways that it’s not suppose to, such as manipulating the database into divulging a password.
“According to Information Week, if a store is affected, exposed information will include information specific to the store, as well as order, customer and administrative information.”
According to WordFence, there is a vulnerability for Blind SQL Injection.
According to WordFence, the impact is:
“In a database of an online store, the vulnerability made it possible for unauthenticated attackers to gain access to arbitrary data.”
“Wordfence Threat Intelligence developed proofs-of-concept within hours of the patch being released for boolean-based and time-based blind injections.”
WooCommerce sites have been compromised?
At this time, there is no evidence of widespread attacks compromising WooCommerce sites.
“Our observation is that these attacks were very targeted, as no evidence has been found of their existence.”
Versions of the WooCommerce software
“A version branch corresponds to the version a publisher is using at the time.”
Publishers can be using very old versions 3.x, 4.x, and the latest version 5.x. The three versions, 3, 4, and 5, are each considered a branch. Branches are the versions of WordPress’s 4.x and 5.x software. Version 5 is a major upgrade to version 4. Publishers may find updating from version 4.x to 5.x disruptive. The WooCommerce team has released a patch to fix the vulnerabilities for each branch.
As a response, if your site is using WooCommerce version 4.x, you should upgrade to version 4.8.1, which is the most recent version of that branch.
However, even though the latest versions of older branches are patched, the official announcement recommends upgrading to the latest version of WooCommerce, currently version 5.5.2.
According to the announcement,
“Our recommendation remains to use the latest versions of WooCommerce and WooCommerce Blocks (5.5.2).”
We apologize for any confusion that may have been caused by that statement regarding how far up the version branch publishers should update.
Publishing companies have wondered if they should stay with version 4.x, if it’s safe, or should they upgrade to the latest version of WooCommerce, currently version 5.5.2?
Someone asked that in the comments section of the official announcement:
“Is the Woocommerce Version 4.8.1. safe now or not?”
WooCommerce responded with the following statement:
The WooCommerce plugin is affected by this critical vulnerability, so ensuring it is updated first is a priority.
There’s no need to do anything else until you’re ready to update to the latest version (5.5.2).”