WooCommerce 6.2.1 Security Fix

WooCommerce 6.2.1 is available now. This release should be backwards compatible with the previous version and fixes two issues.

Here’s what’s new:

  • Fixed permission check for reviews in v1 & v2 REST API.
  • Fixed Path Traversal in Importers.

You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.

As usual, if you spot issues in WooCommerce core, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.


16 responses to “WooCommerce 6.2.1 Security Fix”

  1. Our automatic update or manually we couldn’t install this WC 6.2.1 Security Update, tossed our live site into a stuck maintenance mode and so this update is unstable, and so we decided to switch off automatic updates for woocommerce altough we use automatic full site backup before any update is installed onto our site. We use latest WordPress and latest versions from all plugins, so please double-check this update package, thank you.

    1. Peter Fabian Avatar
      Peter Fabian

      Hi Gyula. Sorry to hear you’re having issues. We are always testing the package before rolling it out, but it’s possible that there are configurations we don’t cover. Please reach out to our support for help or, if you manage to reproduce the problem, please open an issue in our GitHub repository.

    2. Hello Gyula, I could update some stores here without any issue, so seems like the update is working as expected. What you are reporting can be a bug on WP on your side, sometimes fails to remove the maintenance mode file because some incorrect permissions for the server to write or remove files, maybe it’s just the permissions on your WordPress folder installation.

  2. I just updated my woocommerce, but some questions remain.

    How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
    How to know if my site has been affected by it? I got an email from my security plugin 1 hour ago and just updated it.

    1. Peter Fabian Avatar
      Peter Fabian

      Hi Jene.

      The path traversal is a low severity issue. Unless you have store managers taking care of your store who could try to read data on your server they shouldn’t be able to, you are safe.

      On the other hand, the Arbitrary Comment Deletion via REST API is a medium severity issue and affects every store that allows user registration (e.g. for customers or blog subscribers), so I’d recommend updating to the latest version for most stores out there. Basically, any registered user is able to edit or delete post comments, product reviews, or order notes.

      1. Hey Peter (), thanks for the fast and clarifying response, I updated it 2 hours ago 🙂 There’s another vulnerability I found from probing twitter about this update, is there a way to pm you the thread?

        1. Peter Fabian Avatar
          Peter Fabian

          Hi, feel free to send it me via email at my name.surname @ automattic.com (replacing the name and surname of course 🙂 )

      2. mirabelpro Avatar

        Hi. Is Arbitrary Comment Deletion via REST API issue present in Woo versions prior to 6.1?

        1. Peter Fabian Avatar
          Peter Fabian

          Yes, it is. All versions prior to 6.2.1.

  3. I just updated my woocommerce, but some questions remain.

    How serious are both of the vulnerabilities that were patched? (WooCommerce Path Traversal via Importers vulnerability and WooCommerce Arbitrary Comment Deletion vulnerability)
    How to know if my site has been affected by it? I got an email from my security plugin (patchstack.com) 1 hour ago and just updated it.

  4. mtstudios Avatar

    Will you be releasing a minor patch to resolve these security issues for versions 4 and 5 too? If so, what time frame are we looking at? Thanks.

    1. Hello, Due to the low severity of both issues we don’t intend to fix previous versions like we did before with high severity security issues.

  5. Are older versions of the plugin patched down the line like was done for previous vulnerabilities? We have an older site with many WC plugins that are older and so we are hesitant to update 2 full version numbers in WC core. Can I just do a minor upgrade to my v4.x.x plugin?

    1. Hello, the two fixes included in 6.2.1 aren’t as serious as the security flaws previously disclosed, that’s why we decided to only patch the latest release.

  6. amoranimado Avatar
    amoranimado

    This version broke the wp. Follow the error:
    Uncaught Error: Call to a member function is_complete() on null in …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php:173 Stack trace: #0 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(44): WC_Admin_Dashboard_Setup->should_display_widget() #1 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-dashboard-setup.php(181): WC_Admin_Dashboard_Setup->__construct() #2 …/wp-content/plugins/woocommerce/includes/admin/class-wc-admin.php(102): include(‘/nas/content/li…’) #3 …/wp-includes/class-wp-hook.php(303): WC_Admin->conditional_includes(Object(WP_Screen)) #4 …/wp-includes/class-wp-hook.php(327): WP_Hook->apply_filters(NULL, Array) #5 …/stagesim/wp-includes/plugin.php(470): WP_Hook->do_action(Array) #6 …/stagesim/wp-admin/includes/class-wp-screen.php(421): d

    1. Hello, sorry that you are experiencing this issue, but we haven’t changed anything for the admin dashboard in this release. This seems unrelated to the changes included in 6.2.1.

Leave a Reply

Your email address will not be published. Required fields are marked *