Important security patch released in WooCommerce

Allen Smith Avatar
Allen Smith

โ€ข

On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.

What actions should I take?

Automatic software updates began rolling out on September 21, 2021, to all stores running impacted versions of WooCommerce, but we still highly recommend you ensure that youโ€™re using a patched version. This is 5.7.0 or the highest number possible in your release branch.

After updating to a patched version, we also recommend disabling Directory Listing on your web server, if it isn’t already. This feature displays a list of every file in the web directory when there is no index file present. You can check if this is active by visiting <domain>/wp-content/uploads in a browser. If youโ€™re not sure how to disable this, please contact your web host directly.

How do I know if my version is up-to-date?

The table below contains the full list of patched versions of WooCommerce and WooCommerce Admin. If you are running a version of WooCommerce that is not on this list, please update immediately to the highest version in your release branch. Once you update to any of the patched versions of WooCommerce below, WooCommerce Admin should update automatically.

Patched versions of WooCommerce
– 4.0.3
– 4.1.3
– 4.2.4
– 4.3.5
– 4.4.3
– 4.5.4
– 4.6.4
– 4.7.3
– 4.8.2
– 4.9.4
– 5.0.2
– 5.1.2
– 5.2.4
– 5.3.2
– 5.4.3
– 5.5.3
– 5.6.1
– 5.7.0
Patched versions of WooCommerce Admin
– 1.0.4
– 1.1.4
– 1.2.5
– 1.3.3
– 1.4.1
– 1.5.1
– 1.6.4
– 1.7.4
– 1.8.4
– 1.9.1
– 2.0.4
– 2.1.6
– 2.2.7
– 2.3.2
– 2.4.5
– 2.5.2
– 2.6.4

Why didnโ€™t my website get the automatic update?

Your site may not have automatically updated for a number of reasons. A few of the most likely are: youโ€™re running a version prior to one impacted (below WooCommerce 4.0.0), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 4.0.3, 4.5.4, 5.5.3, etc), as listed in the table above.

How can I check if my reports were affected?

You can check your siteโ€™s reports to see:

  • Visit <your-domain>/wp-admin/options.php and search for the woocommerce_admin_report_export_status field. If it is present, it is possible that one of the report files may have been downloaded.
  • Visit <your-domain>/wp-content/uploads in a browser. If you receive a list of files, rather than a blank page, it is possible that a report file may have been made public.

Further questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help โ€“ open a support ticket.

Keep yourself in the loop!

Sign up for the WooCommerce developer newsletter:
Hidden
Hidden
Hidden

24 responses to “Important security patch released in WooCommerce”

  1. WooCommerce 5.7 รคr slรคppt (och ett sรคkerhetshรฅl) – WPSE

    […] men du bรถr absolut dubbelkolla. ร„r du mer intresserad av vad som skett sรฅ har man skrivit lite mer ingรฅende om detta hรคr. ร„ven WooCommerce Admin har fรฅtt en uppdatering till fรถljd av detta, bakdaterad till รคldre […]

    Reply
    1. Eric Avatar
      Eric

      The article highlights that 5.6.1 is a patched version, but it is not listed as available within https://developer.woocommerce.com/releases/ or as an option within wp-admin.

      This would be a preferred fix for those of us not ready for 5.7.0. Please make this available.

      Reply
      1. Allen Smith Avatar
        Allen Smith

        Thanks so much for highlighting this for us. We’ll work on getting those patches added to the releases page. In the meantime, folks can download these patched releases using the dropdown menu at the bottom of the following: https://wordpress.org/plugins/woocommerce/advanced/

        Reply
        1. 3ebees Avatar
          3ebees

          Thanks, Allen. Will the branch patched branch versions be available to update from within wp-admin as well? If memory serves, the last incident in July provided that option.

          Reply
          1. Allen Smith Avatar
            Allen Smith

            I will need to double-check to verify this, but I believe the patches will be pushed automatically to affected stores that haven’t explicitly disabled auto-update functionality. From within the plugins section of wp-admin on my test site, the update link appears to upgrade the store to the most recent minor version release (e.g. from 5.6.0 to 5.7.0 and not 5.6.0 to 5.6.1). If the patch fails to automatically apply on any stores you manage, however, you should be able to apply the corresponding patch manually without issue.

  2. Eric Avatar
    Eric

    It doesn’t appear that any of the patched release branches are available on the releases page–nor are they presented as an update option in wp-admin:

    https://developer.woocommerce.com/releases/

    e.g. On 5.6.0, 5.6.1 is not offered as an update path from wp-admin nor is it available on the releases page, despite being listed as a patched version.

    Reply
  3. 3ebees Avatar
    3ebees

    The patched branch releases aren’t available on the releases page despite them being highlighted in this post:

    https://developer.woocommerce.com/releases/

    e.g. 5.6.1 is not available as an update path from 5.6.0 from within wp-admin, nor is it available as a download.

    Reply
  4. Security Patch (Sept 22 2021) Branch Releases Not Available – Tech Blog

    […] the security patch highlighted earlier today (https://developer.woocommerce.com/2021/09/22/important-security-patch-released-in-woocommerce/), the patched branch releases arenโ€™t available on the releases page despite them being […]

    Reply
  5. lippiun Avatar
    lippiun

    How do i download the release zip folder for 4.0.3?

    Reply
    1. Allen Smith Avatar
      Allen Smith

      Howdy! You can find a list releases at https://developer.woocommerce.com/releases/

      Reply
  6. Lau Avatar
    Lau

    Hello, there is no release for 5.5.3 just up to 5.5.2… (checked on https://developer.woocommerce.com/releases/)
    thanks

    Reply
  7. kockylau Avatar
    kockylau

    Hi

    Sorry if this is the second comment, doesn’t seem that the first went through.
    I am looking for version 5.5.3 and can’t see it on https://developer.woocommerce.com/releases/ just up to 5.5.2
    Thanks

    Reply
    1. Allen Smith Avatar
      Allen Smith

      Thanks for catching this. The 5.5.3 patch has now been added to the list of releases on that page. ๐Ÿ˜ƒ๐Ÿ‘

      Reply
  8. kockylau Avatar
    kockylau

    I managed to find it: https://downloads.wordpress.org/plugin/woocommerce.5.5.3.zip
    Thanks

    Reply
  9. BZ Avatar
    BZ

    Hi, We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards

    Reply
    1. Allen Smith Avatar
      Allen Smith

      Howdy. This update is being pushed out similar to the update back in July. There are some situations where sites may not receive the update. For instance, if folks have explicitly disabled automatic updates, if there are filesystem permission issues, or if there are existing plugins that are preventing the update from occurring, the store wouldn’t apply the update.

      Reply
  10. BZ Avatar
    BZ

    We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards

    Reply
  11. jer Avatar
    jer

    Will this be a forced update (just like last July) or just an automatic update if this is enabled for WooCommerce under the plug-in section? Thanks in advance.

    Reply
  12. WooCommerce 5.7.0 Patches Security Issue that Could Potentially Leak Analytics Reports – WP Tavern

    […] The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting […]

    Reply
  13. Are you ready for some WordCamp US?! – The WP Minute

    […] WooCommerce released a security patch last week to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. You should update your store right away if you do not have auto-updates turned on for your site do it now! […]

    Reply
  14. WooCommerce Community News: September 2021 – Develop with WooCommerce

    […] September 21, 2021, there was a security patch released to address a server configuration setup used by some hosts which would, in some circumstances, make […]

    Reply
  15. WooCommerce 5.7.0 Patches Security Issue that Could Potentially Leak Analytics Reports – Ecom

    […] release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting […]

    Reply
  16. Do the Woo WooCommerce News September 24 2021

    […] This security patch was released to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. Make sure and check out the post for further details on WooCommerce Developer Blog. […]

    Reply
  17. Weekly WordPress News: WordCamp US 2021 Happens Today

    […] Important security patch released in WooCommerce – WooCommerce 5.7.0 patches security issue. […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *