S-a descoperit recent, pe 13 iulie 2021, o vulnerabilitate critica in WooCommerce si plugin WooCommerce Blocks (Critical Vulnerability Detected in WooCommerce) care ar putea afecta milioane de magazine online din intreaga lume, care au fost construite pe aceasta platforma.

Anuntul a fost facut de staff-ul WooCommerce (Automatic) pe blogul oficial, iar asa cum era si normal nu s-au oferit date despre fisirele vulnerabile. Este oricum usor de vazut unde s-au facut modificari de cod, comparand versiunile vulnerabile cu cele actualizate in urma cu cateva ore, care contin patch fix de securitate.

Exploatand aceasta vulnerabilitate atacatorul poate prelua absolut tot continutul magazinului online, incluzand aici: datele personale ale clientilor, detaliile comenzilor, rapoarte de vanzari and statusul comenzii, information and administrative privileges of the online store. Basically all WooCommerce data it has access to “Shop Manager”.

Which versions of WooCommerce are affected by this critical vulnerability?

All versions of WooCommerce if WooCommerce Blocks from 3.3 if pana from 5.5. That means a huge number of versions, and online stores that have updated WooCommerce are not exempt from this vulnerability either.

It is recommended urgent update to the latest version of WooCommerce (5.5.1), and if you use an older version, WooCommerce has created a special fix patch for each. This way you won't be forced to do a major WooCommerce upgrade if you don't have the time and resources right now.

• Find out if the email address and password have been compromised / stolen [Firefox Monitor]
• A new critical vulnerability to Internet Explorer endangers Windows systems
• Another vulnerability discovered in Java
• WooCommerce 30+ Variation Not Working [How-To Fix]

For example, if you have an online store you have installed WooCommerce 3.4.x, the security update is WooCommerce 3.4.8. It is not mandatory to switch to WooCommerce 5.5.1, but it is very indicated that in the near future you have this.

All versions with Fixed Security Patch can be discharged and manually updated on WooCommerce Core / Releases. The updated versions are those with the date “2021-07-14“.

The update can be done and from Dashboard → Plugins → WooCommerce → Update, or automatic update if you have this option in WordPress.

We hope that the security breach was discovered in time and that most of the online stores are on the stage to make the store updates.

Critical Vulnerability Detected in WooCommerce – The investigation is still underway. At the moment, the impact of this vulnerability is not known and if the fixed patch could affect something negatively.