Store API Vulnerability Patched in WooCommerce 8.1+ – What You Need To Know

Beau Lebens Avatar
Beau Lebens

A critical vulnerability was discovered in WooCommerce (versions 8.1 to 10.4.2) that, if exploited, could allow logged-in customers to access order details belonging to guest customers. This vulnerability affected the WooCommerce Store API and has the potential to expose customer order information. We currently have no evidence of the vulnerability being used or exploited outside of our own security testing program.

The vulnerability (GHSL-2025-129) was reported by GitHub Security Lab team members Man Yue Mo and Peter Stöckli as part of Automattic’s bug bounty program. As soon as the vulnerability was reported, we began investigating whether it had been exploited and initiated development of patches for all affected versions. 

Our engineering team has developed patches for all 23 affected versions of WooCommerce and has worked with the WordPress.org Plugins Team to auto-update impacted sites. As of 16:00 UTC, December 22, 2025, the update is being automatically rolled out to stores that are opted in to auto updates. All WooCommerce stores hosted by Automattic, including on WordPress.com, WordPress VIP, Pressable, or those hosted via WP Cloud, were automatically updated or patched once the patch was released.

What information could be exposed?

If exploited, the vulnerability could have exposed guest customer order information, including names, email addresses, phone numbers, shipping and billing addresses, types of payment methods used, items purchased, and associated metadata (such as product customizations). 

No credit card or other financial details would have been exposed.

What actions do I need to take?

Check your WooCommerce version:

  1. From your WordPress Admin dashboard, click the Plugins menu item, or select “Updates.”
  2. Look for WooCommerce in your list of plugins.
  3. The version number should be displayed in the Description column next to the plugin name.
  4. If you are running WooCommerce version 8.0 or earlier, you are not affected by this vulnerability.
  5. If your current version of WooCommerce is 10.4.3, no further action is necessary.
  6. If you are running WooCommerce version 8.1 to 10.4.2, please update immediately.

If a new version is available for download, you should see a notice guiding you to update WooCommerce — please update as soon as possible.

How do I know if my version is up to date?

Below you can find the full list of patched versions of WooCommerce. If you are running an unpatched version of WooCommerce, please update to a patched version immediately.

Patched WooCommerce versions

Expand this section to see a full list of currently patched and unpatched versions of WooCommerce. 
Unpatched version						Patched version
8.1.0, 8.1.1, 8.1.2 						-> 8.1.3
8.2.0, 8.2.1, 8.2.2, 8.2.3 					-> 8.2.4
8.3.0, 8.3.1, 8.3.2 						-> 8.3.3
8.4.0, 8.4.1 							-> 8.4.2
8.5.0, 8.5.1, 8.5.2, 8.5.3 					-> 8.5.4
8.6.0, 8.6.1, 8.6.2 						-> 8.6.3
8.7.0, 8.7.1 							-> 8.7.2
8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5		 	-> 8.8.6
8.9.0, 8.9.1, 8.9.2, 8.9.3 					-> 8.9.4
9.0.0, 9.0.1, 9.0.2 						-> 9.0.3
9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4 				-> 9.1.5
9.2.0, 9.2.1, 9.2.2, 9.2.3 					-> 9.2.4
9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4		 		-> 9.3.5
9.4.0, 9.4.1, 9.4.2, 9.4.3 					-> 9.4.4
9.5.0, 9.5.1, 9.5.2 						-> 9.5.3
9.6.0, 9.6.1, 9.6.2 						-> 9.6.3
9.7.0, 9.7.1 							-> 9.7.2
9.8.0, 9.8.1, 9.8.2, 9.8.3, 9.8.4, 9.8.5 			-> 9.8.6
9.9.0, 9.9.1, 9.9.2, 9.9.3, 9.9.4, 9.9.5 			-> 9.9.6
10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4 				-> 10.0.5
10.1.0, 10.1.1, 10.1.2 						-> 10.1.3
10.2.0, 10.2.1, 10.2.2 						-> 10.2.3
10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 		-> 10.3.7
10.4.0, 10.4.1, 10.4.2 						-> 10.4.3

Has customer data been compromised?

At this time, we have no evidence that orders or customer data were accessed as a result of this issue.

I’m a developer, agency, or hosting provider. Should I alert my clients?

Yes. We strongly encourage anyone who supports or develops for WooCommerce merchants to:

  • Share this information with clients running WooCommerce 8.1 or higher.
  • Verify that all client sites are updated to patched versions.
  • Monitor client sites for any suspicious activity related to this vulnerability.

Hosting providers may want to consider proactive outreach to affected customers and expedited auto-updates where possible.

While security vulnerabilities can arise in any software, we work diligently to identify, patch, and communicate about them as quickly as possible. The WooCommerce team takes security seriously and maintains active bug bounty programs to encourage responsible disclosure of vulnerabilities. We recommend that merchants use the most up-to-date, patched version of WooCommerce.

To keep your store secure:

  • Always keep WooCommerce and all plugins up to date.
  • Use strong passwords and two-factor authentication.
  • Regularly back up your site.
  • Monitor your site for unusual activity.

I have other questions

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

We will continue to update this post as more information becomes available.

Leave a Reply

Your email address will not be published. Required fields are marked *