We are issuing this advisory to alert the WooCommerce community about an issue involving the unintended loading of a file on the frontend of WooCommerce storefronts for versions 7.8.0 through 8.9.1.
The Details
We have discovered a request which stores some basic request data (including IP address of the site visitor) in our server request logs hosted on Automattic (Woo’s parent company) infrastructure for a maximum of 14 days in WooCommerce versions 7.8.0 through 8.9.1. Starting with WooCommerce 7.8.0 and continuing through the most recent release, 8.9.1, the https://stats.wp.com/w.js file is loaded on every frontend page. Loading this file was introduced as part of a feature to register server-side tracking during REST requests, as documented in Issue #37796.
Issue Overview
- Problem: Any WooCommerce site with tracking enabled will load a file,
https://stats.wp.com/w.js, on every frontend page. Our server request logs for this file collect data such as IP address, referrer, timestamp, user agent, HTTP version, response code, response size, and response time. - Impact: The script itself does not actively send tracking data to Automattic. The data stored in WordPress.com server logs is the same data that would exist on request logs of the server a store is hosted on when a user visits the storefront. However, out of an abundance of caution, and as part of our commitment to data privacy, we have decided to apply the fix to all affected versions of WooCommerce to prevent unnecessary requests for this file.
How Can I Tell If This Affects Me?
To determine if your WooCommerce installation is affected by this issue, check the versions of WooCommerce you are running. If your site is using WooCommerce versions 7.8.0 through 8.9.1 and has tracking enabled, you are likely affected. If you see the file, https://stats.wp.com/w.js loading on your frontend pages, you are affected.
If your site is also connected to Jetpack, the file is expected to be requested from the frontend of the site when certain features (such as Jetpack Search) are active.
Immediate Actions We Are Taking
- Backport Patch Development: A patch has been developed to address this issue, to prevent the unnecessary request to the file on frontend pages. This patch will be released for all affected versions of WooCommerce.
- Data: WordPress.com server request logs for the file retrieved from “https://stats.wp.com/w.js” have a default retention policy of 14 days. Once a site is updated to the patched version of WooCommerce, requests will not be initiated from the frontend of the site for that file and previous records related to those requests will be automatically deleted after 14 days.
What Action Should I Take?
Automatic software updates to WooCommerce began rolling out on June 4, 2024, however, we encourage you to make sure you are running the latest version of WooCommerce or have the latest security patch applied to your version.
Leave a Reply