On the evening of July 14, 2021, the Woo Team made public a critical vulnerability in all versions of WooCommerce (from 3.3 to 5.5) and the WooCommerce Blocks plugin. This vulnerability was originally identified and responsibly disclosed by security researcher Josh, via their HackerOne security program on July 13, 2021.
This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.
The developers of WooCommerce immediately conducted a thorough investigation, audited all related codebases, and created an emergency patch for this SQL Injection vulnerability for every impacted version of WooCommerce. Additionally, the WordPress.org team began pushing forced automatic updates to vulnerable WordPress installations.
While indications are this has been exploited in the wild, our partners at Wordfence Threat Intelligence have found extremely limited evidence of these attempts and it is likely that such attempts — at least initial attempts — were highly targeted.
Due to the severe nature of the flaw, we immediately took action upon learning of the patch and ALL ESC! Technologies Group clients who subscribe to one of our WordPress Care Plans were updated to WooCommerce 5.3.1, 5.4.2 or 5.5.1 depending on the branch of WooCommerce currently installed on your site.
There is nothing further you need to do.
We are continuing to monitor the situation and will keep you updated if there’s anything further you need to know about this as it relates to your website.
If you’d like more information about the vulnerability:
Updating Your Site
If you’re not subscribed to one of ESC! Technologies Group’s WordPress Care Plans, then before upgrading you’ll want to be sure to:
1. Ensure compatibility with and/or Upgrade all your third party plugins.
2. Ensure compatibility with your theme and framework and upgrade if necessary.
3. Turn off any caching plugins you may have installed.
4. Perform a full backup of your site and database.
5. Upgrade WooCommerce to the latest version for your branch.
6. After the upgrade is complete, re-enable your caching plugins and test your site.
Current releases of WooCommerce can be found here: https://developer.woocommerce.com/releases/