Important Security Patch Released in WooCommerce

On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.

What actions should I take?

Automatic software updates began rolling out on September 21, 2021, to all stores running impacted versions of WooCommerce, but we still highly recommend you ensure that you’re using a patched version. This is 5.7.0 or the highest number possible in your release branch.

After updating to a patched version, we also recommend disabling Directory Listing on your web server, if it isn’t already. This feature displays a list of every file in the web directory when there is no index file present. You can check if this is active by visiting <domain>/wp-content/uploads in a browser. If you’re not sure how to disable this, please contact your web host directly.

How do I know if my version is up-to-date?

The table below contains the full list of patched versions of WooCommerce and WooCommerce Admin. If you are running a version of WooCommerce that is not on this list, please update immediately to the highest version in your release branch. Once you update to any of the patched versions of WooCommerce below, WooCommerce Admin should update automatically.

Patched versions of WooCommerce
– 4.0.3
– 4.1.3
– 4.2.4
– 4.3.5
– 4.4.3
– 4.5.4
– 4.6.4
– 4.7.3
– 4.8.2
– 4.9.4
– 5.0.2
– 5.1.2
– 5.2.4
– 5.3.2
– 5.4.3
– 5.5.3
– 5.6.1
– 5.7.0
Patched versions of WooCommerce Admin
– 1.0.4
– 1.1.4
– 1.2.5
– 1.3.3
– 1.4.1
– 1.5.1
– 1.6.4
– 1.7.4
– 1.8.4
– 1.9.1
– 2.0.4
– 2.1.6
– 2.2.7
– 2.3.2
– 2.4.5
– 2.5.2
– 2.6.4

Why didn’t my website get the automatic update?

Your site may not have automatically updated for a number of reasons. A few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 4.0.0), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 4.0.3, 4.5.4, 5.5.3, etc), as listed in the table above.

How can I check if my reports were affected?

You can check your site’s reports to see:

  • Visit <your-domain>/wp-admin/options.php and search for the woocommerce_admin_report_export_status field. If it is present, it is possible that one of the report files may have been downloaded.
  • Visit <your-domain>/wp-content/uploads in a browser. If you receive a list of files, rather than a blank page, it is possible that a report file may have been made public.

Further questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

Reposted from WooCommerce