Critical vulnerability discovered in WooCommerce – Million online stores could be compromised

S-a descoperit recent, pe 13 iulie 2021, o vulnerabilitate critica in WooCommerce si plugin WooCommerce Blocks (Critical Vulnerability Detected in WooCommerce) care ar putea afecta milioane de magazine online din intreaga lume, care au fost construite pe aceasta platforma.

Anuntul a fost facut de staff-ul WooCommerce (Automatic) pe blogul oficial, iar asa cum era si normal nu s-au oferit date despre fisirele vulnerabile. Este oricum usor de vazut unde s-au facut modificari de cod, comparand versiunile vulnerabile cu cele actualizate in urma cu cateva ore, care contin patch fix de securitate.

Exploatand aceasta vulnerabilitate atacatorul poate prelua absolut tot continutul magazinului online, incluzand aici: datele personale ale clientilor, detaliile comenzilor, rapoarte de vanzari and statusul comenzii, informatii si privilegii administrative ale magazinului online. Practic toate datele WooCommerce la care are acces “Shop Manager”.

Ce versiuni de WooCommerce sunt afectate de aceasta vulnerabilitate critica?

Toate versiunile de WooCommerce si WooCommerce Blocks de la 3.3 si pana la 5.5. Adica un numar imens de versiuni, iar scutite de aceasta vulnerabilitate nu sunt nici magazinele online care au WooCommerce actualizat la zi.

It is recommended update-ul urgent la cea mai recenta versiune de WooCommerce (5.5.1), iar daca folositi o versiune mai veche, cei de la WooCommerce au creat patch fix special pentru fiecare. In acest fel nu veti fi obligat sa faceti un upgrade major de WooCommerce daca nu aveti timpul si resursele necesare in acest moment.

• Find out if the email address and password have been compromised / stolen [Firefox Monitor]
• A new critical vulnerability to Internet Explorer endangers Windows systems
• Another vulnerability discovered in Java
• WooCommerce 30+ Variation Not Working [How-To Fix]

For example, if you have an online store you have installed WooCommerce 3.4.x, the security update is WooCommerce 3.4.8. It is not mandatory to switch to WooCommerce 5.5.1, but it is very indicated that in the near future you have this.

All versions with Fixed Security Patch can be discharged and manually updated on WooCommerce Core / Releases. The updated versions are those with the date “2021-07-14“.

The update can be done and from Dashboard → Plugins → WooCommerce → Update, or automatic update if you have this option in WordPress.

We hope that the security breach was discovered in time and that most of the online stores are on the stage to make the store updates.

Critical Vulnerability Detected in WooCommerce – The investigation is still underway. At the moment, the impact of this vulnerability is not known and if the fixed patch could affect something negatively.