WooCommerce 6.2.1 Security Fix

WooCommerce 6.2.1 is available now. This release should be backwards compatible with the previous version and fixes two issues.

Here’s what’s new:

Fixed permission check for reviews in v1 & v2 REST API.
Fixed Path Traversal in Importers.

You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.

As usual, if you spot issues in WooCommerce core, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.

Keep yourself in the loop!

16 responses to “WooCommerce 6.2.1 Security Fix”

Gyula Csiak

February 23, 2022

Our automatic update or manually we couldn’t install this WC 6.2.1 Security Update, tossed our live site into a stuck maintenance mode and so this update is unstable, and so we decided to switch off automatic updates for woocommerce altough we use automatic full site backup before any update is installed onto our site. We use latest WordPress and latest versions from all plugins, so please double-check this update package, thank you.

Reply
1. Peter Fabian
  
  February 23, 2022
  
  Hi Gyula. Sorry to hear you’re having issues. We are always testing the package before rolling it out, but it’s possible that there are configurations we don’t cover. Please reach out to our support for help or, if you manage to reproduce the problem, please open an issue in our GitHub repository.
  
  Reply
2. Claudio Sanches
  
  February 23, 2022
  
  Hello Gyula, I could update some stores here without any issue, so seems like the update is working as expected. What you are reporting can be a bug on WP on your side, sometimes fails to remove the maintenance mode file because some incorrect permissions for the server to write or remove files, maybe it’s just the permissions on your WordPress folder installation.
  
  Reply
Jene

February 23, 2022

I just updated my woocommerce, but some questions remain.

How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
How to know if my site has been affected by it? I got an email from my security plugin 1 hour ago and just updated it.

Reply
1. Peter Fabian
  
  February 23, 2022
  
  Hi Jene.
  
  The path traversal is a low severity issue. Unless you have store managers taking care of your store who could try to read data on your server they shouldn’t be able to, you are safe.
  
  On the other hand, the Arbitrary Comment Deletion via REST API is a medium severity issue and affects every store that allows user registration (e.g. for customers or blog subscribers), so I’d recommend updating to the latest version for most stores out there. Basically, any registered user is able to edit or delete post comments, product reviews, or order notes.
  
  Reply
  1. Jene
    
    February 23, 2022
    
    Hey Peter (), thanks for the fast and clarifying response, I updated it 2 hours ago 🙂 There’s another vulnerability I found from probing twitter about this update, is there a way to pm you the thread?
    
    Reply
    1. Peter Fabian
      
      February 23, 2022
      
      Hi, feel free to send it me via email at my name.surname @ automattic.com (replacing the name and surname of course 🙂 )
      
      Reply
  2. mirabelpro
    
    February 23, 2022
    
    Hi. Is Arbitrary Comment Deletion via REST API issue present in Woo versions prior to 6.1?
    
    Reply
    1. Peter Fabian
      
      February 23, 2022
      
      Yes, it is. All versions prior to 6.2.1.
      
      Reply
africaminhamarketplace

February 23, 2022

I just updated my woocommerce, but some questions remain.

How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
How to know if my site has been affected by it? I got an email from my security plugin (patchstack.com) 1 hour ago and just updated it.

Reply
mtstudios

February 24, 2022

Will you be releasing a minor patch to resolve these security issues for versions 4 and 5 too? If so, what time frame are we looking at? Thanks.

Reply
1. Claudio Sanches
  
  February 28, 2022
  
  Hello, Due to the low severity of both issues we don’t intend to fix previous versions like we did before with high severity security issues.
  
  Reply
shorelineteam

February 24, 2022

Are older versions of the plugin patched down the line like was done for previous vulnerabilities? We have an older site with many WC plugins that are older and so we are hesitant to update 2 full version numbers in WC core. Can I just do a minor upgrade to my v4.x.x plugin?

Reply
1. Claudio Sanches
  
  February 28, 2022
  
  Hello, the two fixes included in 6.2.1 aren’t as serious as the security flaws previously disclosed, that’s why we decided to only patch the latest release.
  
  Reply
amoranimado

February 24, 2022

This version broke the wp. Follow the error:
Uncaught Error: Call to a member function is_complete() on null in …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php:173 Stack trace: #0 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(44): WC_Admin_Dashboard_Setup->should_display_widget() #1 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(181): WC_Admin_Dashboard_Setup->__construct() #2 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin.php(102): include(‘/nas/content/li…’) #3 …/wp-includes/class-wp-hook.php(303): WC_Admin->conditional_includes(Object(WP_Screen)) #4 …/wp-includes/class-wp-hook.php(327): WP_Hook->apply_filters(NULL, Array) #5 …/stagesim/wp-includes/plugin.php(470): WP_Hook->do_action(Array) #6 …/stagesim/wp-admin/includes/class-wp-screen.php(421): d

Reply
1. Claudio Sanches
  
  February 28, 2022
  
  Hello, sorry that you are experiencing this issue, but we haven’t changed anything for the admin dashboard in this release. This seems unrelated to the changes included in 6.2.1.
  
  Reply