WooCommerce announced they have patched a critical vulnerability affecting millions of users. Publishers using the WooCommerce plugin or the WooCommerce Blocks plugin are strongly urged to update their plugins if they have not already automatically updated.

Forced Automatic Update by WooCommerce

The vulnerability known as a SQL Injection Vulnerability is so severe that WooCommerce is pushing the update automatically to affected publishers.

Although the updates are automatic, some publishers are reporting that some of their sites did not receive the update yet.

So it’s important to check and manually update if the site has not yet updated to the highest version of your WooCommerce version branch.

SQL Injection Vulnerability

In general, a SQL Injection is a vulnerability that allows an malicious hacker to affect the database in a way that makes it display information or behave differently in ways it’s not supposed to, like in general, as an example, of being able to manipulate the database into revealing a password.

According to WooCommerce:

“If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.”

The announcement by WordFence noted that this is a Blind SQL Injection vulnerability.

WordFence explained the impact:

“This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.

The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch.”

Have WooCommerce Sites Been Compromised?

There is currently no evidence of a widespread attacks compromising WooCommerce sites. According to a statement by Wordfence, “Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.”

Software Version Branches

What is meant by the version branch is the number associated with the version a publisher is using.

A publisher can be using a very old version 3.x, a version 4.x and the latest version 5.x. Each of those versions, 3, 4 and 5 are considered a branch.

WooCommerce versions 4.x and 5.x are called branches of the software and version 5 is considered a major step up from version 4.

Some publishers may find it disruptive to update from version 4.x to 5.x.

To accommodate those publishers, WooCommerce released a patch that closes the vulnerability for each branch.

So if a site has WooCommerce version 4.x, they are encouraged to update to at least version 4.8.1, which is the very latest version of the 4.x WooCommerce branch.

Nevertheless, although the latest version of older branches are patched, the official announcement recommends updating to the very latest version of WooCommerce, currently version 5.5.1.

The announcement noted:

“…we still highly recommend you ensure that you’re using the latest versions of WooCommerce and WooCommerce Blocks (5.5.1).”

That statement may have inadvertently caused a little confusion as to how far up the version branch publishers should update.

Some publishers were wondering that if they’re using version 4.x, if it’s safe or should they update to the latest version of the highest branch in WooCommerce, currently version 5.5.1?