Categories
WooCommerce Core

WooCommerce 6.2.1 Security Fix

WooCommerce 6.2.1 is available now. This release should be backwards compatible with the previous version and fixes two issues.

Here’s what’s new:

  • Fixed permission check for reviews in v1 & v2 REST API.
  • Fixed Path Traversal in Importers.

You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.

As usual, if you spot issues in WooCommerce core, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.

By Claudio Sanches

Developer on the WooCommerce team and member of the WordPress Brazilian community.

16 replies on “WooCommerce 6.2.1 Security Fix”

Our automatic update or manually we couldn’t install this WC 6.2.1 Security Update, tossed our live site into a stuck maintenance mode and so this update is unstable, and so we decided to switch off automatic updates for woocommerce altough we use automatic full site backup before any update is installed onto our site. We use latest WordPress and latest versions from all plugins, so please double-check this update package, thank you.

Liked by 1 person

Hello Gyula, I could update some stores here without any issue, so seems like the update is working as expected. What you are reporting can be a bug on WP on your side, sometimes fails to remove the maintenance mode file because some incorrect permissions for the server to write or remove files, maybe it’s just the permissions on your WordPress folder installation.

Like

I just updated my woocommerce, but some questions remain.

How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
How to know if my site has been affected by it? I got an email from my security plugin 1 hour ago and just updated it.

Liked by 1 person

Hi Jene.

The path traversal is a low severity issue. Unless you have store managers taking care of your store who could try to read data on your server they shouldn’t be able to, you are safe.

On the other hand, the Arbitrary Comment Deletion via REST API is a medium severity issue and affects every store that allows user registration (e.g. for customers or blog subscribers), so I’d recommend updating to the latest version for most stores out there. Basically, any registered user is able to edit or delete post comments, product reviews, or order notes.

Like

Hey Peter (), thanks for the fast and clarifying response, I updated it 2 hours ago 🙂 There’s another vulnerability I found from probing twitter about this update, is there a way to pm you the thread?

Like

I just updated my woocommerce, but some questions remain.

How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
How to know if my site has been affected by it? I got an email from my security plugin (patchstack.com) 1 hour ago and just updated it.

Like

Will you be releasing a minor patch to resolve these security issues for versions 4 and 5 too? If so, what time frame are we looking at? Thanks.

Like

Are older versions of the plugin patched down the line like was done for previous vulnerabilities? We have an older site with many WC plugins that are older and so we are hesitant to update 2 full version numbers in WC core. Can I just do a minor upgrade to my v4.x.x plugin?

Like

This version broke the wp. Follow the error:
Uncaught Error: Call to a member function is_complete() on null in …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php:173 Stack trace: #0 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(44): WC_Admin_Dashboard_Setup->should_display_widget() #1 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(181): WC_Admin_Dashboard_Setup->__construct() #2 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin.php(102): include(‘/nas/content/li…’) #3 …/wp-includes/class-wp-hook.php(303): WC_Admin->conditional_includes(Object(WP_Screen)) #4 …/wp-includes/class-wp-hook.php(327): WP_Hook->apply_filters(NULL, Array) #5 …/stagesim/wp-includes/plugin.php(470): WP_Hook->do_action(Array) #6 …/stagesim/wp-admin/includes/class-wp-screen.php(421): d

Like

Comments are closed.