On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.
What actions should I take?
Automatic software updates began rolling out on September 21, 2021, to all stores running impacted versions of WooCommerce, but we still highly recommend you ensure that you’re using a patched version. This is 5.7.0 or the highest number possible in your release branch.
After updating to a patched version, we also recommend disabling Directory Listing on your web server, if it isn’t already. This feature displays a list of every file in the web directory when there is no index file present. You can check if this is active by visiting
<domain>/wp-content/uploads in a browser. If you’re not sure how to disable this, please contact your web host directly.
How do I know if my version is up-to-date?
The table below contains the full list of patched versions of WooCommerce and WooCommerce Admin. If you are running a version of WooCommerce that is not on this list, please update immediately to the highest version in your release branch. Once you update to any of the patched versions of WooCommerce below, WooCommerce Admin should update automatically.
|Patched versions of WooCommerce|
|Patched versions of WooCommerce Admin|
Why didn’t my website get the automatic update?
Your site may not have automatically updated for a number of reasons. A few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 4.0.0), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.
In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 4.0.3, 4.5.4, 5.5.3, etc), as listed in the table above.
How can I check if my reports were affected?
You can check your site’s reports to see:
<your-domain>/wp-admin/options.phpand search for the
woocommerce_admin_report_export_statusfield. If it is present, it is possible that one of the report files may have been downloaded.
<your-domain>/wp-content/uploadsin a browser. If you receive a list of files, rather than a blank page, it is possible that a report file may have been made public.
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.
23 replies on “Important security patch released in WooCommerce”
[…] men du bör absolut dubbelkolla. Är du mer intresserad av vad som skett så har man skrivit lite mer ingående om detta här. Även WooCommerce Admin har fått en uppdatering till följd av detta, bakdaterad till äldre […]
The article highlights that 5.6.1 is a patched version, but it is not listed as available within https://developer.woocommerce.com/releases/ or as an option within wp-admin.
This would be a preferred fix for those of us not ready for 5.7.0. Please make this available.
Thanks so much for highlighting this for us. We’ll work on getting those patches added to the releases page. In the meantime, folks can download these patched releases using the dropdown menu at the bottom of the following: https://wordpress.org/plugins/woocommerce/advanced/
Thanks, Allen. Will the branch patched branch versions be available to update from within wp-admin as well? If memory serves, the last incident in July provided that option.
I will need to double-check to verify this, but I believe the patches will be pushed automatically to affected stores that haven’t explicitly disabled auto-update functionality. From within the plugins section of wp-admin on my test site, the update link appears to upgrade the store to the most recent minor version release (e.g. from 5.6.0 to 5.7.0 and not 5.6.0 to 5.6.1). If the patch fails to automatically apply on any stores you manage, however, you should be able to apply the corresponding patch manually without issue.
It doesn’t appear that any of the patched release branches are available on the releases page–nor are they presented as an update option in wp-admin:
e.g. On 5.6.0, 5.6.1 is not offered as an update path from wp-admin nor is it available on the releases page, despite being listed as a patched version.
The patched branch releases aren’t available on the releases page despite them being highlighted in this post:
e.g. 5.6.1 is not available as an update path from 5.6.0 from within wp-admin, nor is it available as a download.
[…] the security patch highlighted earlier today (https://developer.woocommerce.com/2021/09/22/important-security-patch-released-in-woocommerce/), the patched branch releases aren’t available on the releases page despite them being […]
How do i download the release zip folder for 4.0.3?
Howdy! You can find a list releases at https://developer.woocommerce.com/releases/
Hello, there is no release for 5.5.3 just up to 5.5.2… (checked on https://developer.woocommerce.com/releases/)
Sorry if this is the second comment, doesn’t seem that the first went through.
I am looking for version 5.5.3 and can’t see it on https://developer.woocommerce.com/releases/ just up to 5.5.2
Thanks for catching this. The 5.5.3 patch has now been added to the list of releases on that page. 😃👍
LikeLiked by 1 person
I managed to find it: https://downloads.wordpress.org/plugin/woocommerce.5.5.3.zip
LikeLiked by 1 person
Hi, We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards
Howdy. This update is being pushed out similar to the update back in July. There are some situations where sites may not receive the update. For instance, if folks have explicitly disabled automatic updates, if there are filesystem permission issues, or if there are existing plugins that are preventing the update from occurring, the store wouldn’t apply the update.
We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards
Will this be a forced update (just like last July) or just an automatic update if this is enabled for WooCommerce under the plug-in section? Thanks in advance.
[…] The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting […]
[…] WooCommerce released a security patch last week to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. You should update your store right away if you do not have auto-updates turned on for your site do it now! […]
[…] September 21, 2021, there was a security patch released to address a server configuration setup used by some hosts which would, in some circumstances, make […]
[…] release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting […]
[…] This security patch was released to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. Make sure and check out the post for further details on WooCommerce Developer Blog. […]