WooCommerce Core

WooCommerce Vulnerability Reintroduced from 7.0.1


Last year we were alerted to a security issue (thanks to David Anderson) that would potentially allow users with specific capabilities (and, by default, this would include the Shop Manager role) to view user data for all users. This has the possibility of exposing sensitive information. Generally, and within WooCommerce, the information stored as user metadata is not sensitive, however it is possible for other plugins to store sensitive data should they elect to. We are not aware of any cases in which this would pose a risk in WooCommerce on its own.

We identified the issue and released a fix in version 7.0.1. However, this patch did not make its way into 7.2 so the vulnerability was re-introduced with that version and has been present up until now.

We have deployed a fix for the vulnerability in version 8.1.1 that is now available.

These vulnerabilities were identified as part of our ongoing HackerOne responsible disclosure program. At this time, we have no evidence of the vulnerability being exploited in the wild.

What do I need to do?

Update your WooCommerce version to the latest version (8.1.1) as soon as possible.

Is WooCommerce still safe to use?

Yes. While identifying new vulnerabilities is difficult, we work hard to do so proactively by partnering with HackerOne researchers to continually improve the safety of WooCommerce. Of course, finding vulnerabilities is just the first step.  

Afterward, we work to track and patch any vulnerabilities as quickly as possible. And we strive to keep our merchants and customers updated on a proactive basis about the continual steps we are taking to improve the platform.

I have other questions. If anyone has further concerns or questions regarding the patches, our team of Happiness Engineers is on hand to help — please open a support ticket.

3 replies on “WooCommerce Vulnerability Reintroduced from 7.0.1”

Hey David, apologies for missing the attribution. In our haste to publish the report it was overlooked. I have corrected the post to link to the original Patch Release and have also added your name and link to the post. Please let me know if anything there is incorrect.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.