Critical Vulnerability Spotted in WooCommerce on July 13, 2021 – At A Glance
A critical vulnerability regarding WooCommerce and the WooCommerce Blocks feature plugin was discovered on July 13, 2021. Upon learning about this issue, the WooCommerce team instantly directed a deep investigation, audited all associated codebases, and created a security patch to fix the issue for every impacted version which was automatically deployed to affected stores.
Recommendation by WooCommerce
WordPress began releasing auto software updates to WooCommerce 5.5.1 on July 14, 2021, for all online stores running affected versions of plugins. The WooCommerce team recommended the store owners make sure that they’re using the latest version. For WooCommerce, the latest version was 5.5.2, released on July 23, 2021. But, the fixes in this version were not related to the security patch released at that time. They added, that if store owners are also running WooCommerce Blocks, then they should use version 5.5.1 of that plugin.
However, after updating to a patched version, the team also recommended:
- Changing the passwords for any Admin users on the site, notably if they use the same passwords on numerous websites.
- Resetting any Payment Gateway as well as WooCommerce API keys used on your site.
It’s still unclear whether the data of impacted stores had been compromised or not. As per WooCommerce, the exposed data was specific to what an affected site was storing including orders, customers, and admin info. However, in an email, WooCommerce intimated to web store owners that sites hosted on WordPress.com as well as WordPress VIP had already been secured.
WooCommerce rolled out the security patch to fix the issue with auto software updates still in releasing process. The security patch was rolled out for the security of all stores running on impacted versions of each plugin. The company is still working with the Plugin team to update as many stores as possible to the secure version of WooCommerce.
How Can You Check If Your Store Was Exploited?
Due to the humor of this vulnerability, and the flexibility that WordPress offers in handling web requests, there’s no such way of verifying an exploit. However, you may be able to catch some exploit attempts by checking your web server’s access logs. As per WooCommerce, request logs in these formats were seen between December 2019 and now which indicates an exploit attempt:
- REQUEST_URI matching regular expression
- REQUEST_URI matching regular expression
- Any non-GET (POST or PUT) request to
/wp-json/wc/store/products/collection data or /?rest_route=/wc/store/products/collection-data
Moreover, WooCommerce claimed that requests that they have seen manipulating this vulnerability come from mainly three IP addresses, with more than 98% coming from the first IP address in the following list. So, if you observe any of these three IPs in your access logs, you can confirm that your store was exploited. These IP addresses are as follows:
Which Passwords Do You Need To Change?
As per WordPress, it’s improbable that any of your passwords was compromised. WordPress user passwords are hashed using cryptographic salts, so the resulting hash value is too hard to crack. This concept of salted hash not only protects admin user’s password, but also the passwords of any other users on your store. However, WordPress revealed that it’s probable that the hashed version of the passwords stored in your database may have been invaded through this vulnerability.
According to WooCommerce, depending on the plugins on your store, you may have sensitive info or passwords saved in less secure ways. So, they recommend updating those passwords that the Admin users on your site are using on multiple distinct websites. This is just for your security on other sites as well. WordPress also recommends checking as well as modifying any private or secret data stored in your WooCommerce database. This may involve API keys, keys for payment gateways, and more, depending on your specific store preferences.
Is WooCommerce Still Safe To Go With?
Situations like this are unusual but can occur sometimes. However, as a certified platform, WordPress is always ready to respond instantly and work with full transparency in such unfortunate situations. As soon as they learned about the vulnerability, the WooCommerce team has worked nonstop to ensure a fix ASAP. Their continuous investment in WooCommerce security allows them to survive the vast majority of issues. However, in rare cases that could affect stores, the team strives to fix instantly, communicate proactively, and work collaboratively with the WooCommerce Community.