⚠️ Action required: Security update for WooCommerce
For #woocommerce users, please see below email from Woocommerce in case you have not seen it and treat for your online stores ASAP.
|
What do I need to do?
Click this image for a larger version.
If your version of WooCommerce has already been updated to version 8.9.3 (or if auto-updates are enabled), no further action is required. If not, you’ll need to update it manually.
To update:
- Log in to your store’s WP Admin dashboard and navigate to Plugins.
- Locate WooCommerce in your list of installed plugins and extensions. You should see an alert stating, "There is a new version of WooCommerce available."
- Click the update now link displayed in this alert to update to version 8.9.3.
If you don't see the new version alert, please manually check your version number. If you are unable to update WooCommerce immediately, you should disable Order Attribution. This vulnerability is only exploitable if Order Attribution is enabled.
What is the vulnerability?
A security researcher originally reported the vulnerability to us as part of Automattic's HackerOne Bug Bounty Program. This vulnerability could allow for cross-site scripting — a type of attack where a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin.
Has my store's data been compromised?
We are not aware of any exploits of this vulnerability.
What else can I do to keep my store secure?
We always encourage merchants to maintain high security standards. This includes the use of strong passwords, two-factor authentication, careful monitoring of transactions, and using the latest, secure version of WooCommerce (and any other extensions or plugins installed on your site). Read more about security best practices.
I use a version of WooCommerce older than 8.8.0; is my store impacted?
The vulnerability impacts any site running the following versions of WooCommerce — specifically if the store has Order Attribution enabled (this is enabled by default).
If you are using an earlier stable, updated version of WooCommerce, your store is not affected.
How do I know if my store is secure?
If you are running the latest, patched version of WooCommerce (version 8.9.3, as well as the backported 8.8.5), your store is safe. Our Developer Advisory explains how to check your store's WooCommerce version status, and includes other details related to the update. We encourage you to enable auto-updates to keep your plugin versions current and ensure you automatically receive all future security updates.
We always strive for transparent and timely communication with our community. If you have any questions about this issue, please get in touch with our Happiness team.
Monday, June 10, 2024