A critical phishing vulnerability was discovered in WooCommerce versions 5.4 to 10.5.2 that, if exploited, could allow attackers to create admin accounts and potentially gain full site control through Cross-Site Request Forgery (CSRF). The vulnerability requires a logged-in administrator to visit a malicious link under very specific browser circumstances (i.e. a non-chrome browser, or an older version of a chrome browser with a specific flag enabled), which could then trigger unauthorized actions including admin account creation, post creation, and other administrative functions. We currently have no evidence of the vulnerability being used or exploited outside of our own security testing program.
The vulnerability was reported through Automattic’s bug bounty program. As soon as the vulnerability was reported, we began investigating whether it had been exploited and initiated development of patches for all affected versions.
Our engineering team has developed patches for all 52 affected versions of WooCommerce and has worked with the WordPress.org Plugins Team to auto-update impacted sites. As of 14:00 UTC, March 02, 2026, the update is being automatically rolled out to stores that are opted in to auto updates. All WooCommerce stores hosted by Automattic, including on WordPress.com, WordPress VIP, Pressable, or those hosted via WP Cloud, were automatically updated or patched once the patch was released.
What information could be exposed?
If exploited, the vulnerability could have exposed full admin access, including customer order information such as names, email addresses, phone numbers, shipping and billing addresses, types of payment methods used, items purchased, and associated metadata (such as product customizations).
No passwords, credit cards, or other financial details would have been exposed.
What actions do I need to take?
Check your WooCommerce version:
- From your WordPress Admin dashboard, click the Plugins menu item, or select “Updates.”
- Look for WooCommerce in your list of plugins.
- The version number should be displayed in the Description column next to the plugin name.
- If you are running WooCommerce version 5.3 or earlier, you are not affected by this vulnerability.
- If your current version of WooCommerce is 10.5.3, no further action is necessary.
- If you are running WooCommerce version 5.4 to 10.5.2, please update immediately.
If a new version is available for download, you should see a notice guiding you to update WooCommerce — please update as soon as possible.
How do I know if my version is up to date?
Below you can find the full list of patched versions of WooCommerce. If you are running an unpatched version of WooCommerce, please update to a patched version immediately.
Patched WooCommerce versions
Expand this section to see a full list of currently patched and unpatched versions of WooCommerce.
Unpatched version Patched version
5.4.0 — 10.5.2
5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4 -> 5.4.5
5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4 -> 5.5.5
5.6.0, 5.6.1, 5.6.2 -> 5.6.3
5.7.0, 5.7.1, 5.7.2 -> 5.7.3
5.8.0, 5.8.1 -> 5.8.2
5.9.0, 5.9.1 -> 5.9.2
6.0.0, 6.0.1 -> 6.0.2
6.1.0, 6.1.1, 6.1.2 -> 6.1.3
6.2.0, 6.2.1, 6.2.2 -> 6.2.3
6.3.0, 6.3.1 -> 6.3.2
6.4.0, 6.4.1 -> 6.4.2
6.5.0, 6.5.1 -> 6.5.2
6.6.0, 6.6.1 -> 6.6.2
6.7.0 -> 6.7.1
6.8.0, 6.8.1, 6.8.2 -> 6.8.3
6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4 -> 6.9.5
7.0.0, 7.0.1 -> 7.0.2
7.1.0, 7.1.1 -> 7.1.2
7.2.0, 7.2.1, 7.2.2, 7.2.3 -> 7.2.4
7.3.0 -> 7.3.1
7.4.0, 7.4.1 -> 7.4.2
7.5.0, 7.5.1 -> 7.5.2
7.6.0, 7.6.1 -> 7.6.2
7.7.0, 7.7.1, 7.7.2 -> 7.7.3
7.8.0, 7.8.1, 7.8.2, 7.8.3 -> 7.8.4
7.9.0, 7.9.1 -> 7.9.2
8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4 -> 8.0.5
8.1.0, 8.1.1, 8.1.2, 8.1.3 -> 8.1.4
8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4 -> 8.2.5
8.3.0, 8.3.1, 8.3.2, 8.3.3 -> 8.3.4
8.4.0, 8.4.1, 8.4.2 -> 8.4.3
8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4 -> 8.5.5
8.6.0, 8.6.1, 8.6.2, 8.6.3 -> 8.6.4
8.7.0, 8.7.1, 8.7.2 -> 8.7.3
8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6 -> 8.8.7
8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.9.4 -> 8.9.5
9.0.0, 9.0.1, 9.0.2, 9.0.3 -> 9.0.4
9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5 -> 9.1.6
9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4 -> 9.2.5
9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5 -> 9.3.6
9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4 -> 9.4.5
9.5.0, 9.5.1, 9.5.2, 9.5.3 -> 9.5.4
9.6.0, 9.6.1, 9.6.2, 9.6.3 -> 9.6.4
9.7.0, 9.7.1, 9.7.2 -> 9.7.3
9.8.0, 9.8.1, 9.8.2, 9.8.3, 9.8.4, 9.8.5, 9.8.6 -> 9.8.7
9.9.0, 9.9.1, 9.9.2, 9.9.3, 9.9.4, 9.9.5, 9.9.6 -> 9.9.7
10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5 -> 10.0.6
10.1.0, 10.1.1, 10.1.2, 10.1.3 -> 10.1.4
10.2.0, 10.2.1, 10.2.2, 10.2.3 -> 10.2.4
10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7 -> 10.3.8
10.4.0, 10.4.1, 10.4.2, 10.4.3 -> 10.4.4
10.5.0, 10.5.1, 10.5.2 -> 10.5.3
Has customer data been compromised?
At this time, we have no evidence that orders or customer data were accessed as a result of this issue.
I’m a developer, agency, or hosting provider. Should I alert my clients?
Yes. We strongly encourage anyone who supports or develops for WooCommerce merchants to:
- Share this information with clients running WooCommerce 5.4 or higher.
- Verify that all client sites are updated to patched versions.
- Monitor client sites for any suspicious activity related to this vulnerability.
Hosting providers may want to consider proactive outreach to affected customers and expedited auto-updates where possible.
What’s the best approach to running a secure WooCommerce store?
While security vulnerabilities can arise in any software, we work diligently to identify, patch, and communicate about them as quickly as possible. The WooCommerce team takes security seriously and maintains active bug bounty programs to encourage responsible disclosure of vulnerabilities. We recommend that merchants use the most up-to-date, patched version of WooCommerce.
This particular vulnerability highlights the importance of being vigilant about links you click while logged into WordPress admin. CSRF attacks rely on tricking administrators into visiting malicious pages through suspicious emails, fake support requests, or compromised websites. To reduce your risk, consider using a separate browser or profile exclusively for WordPress admin access, log out when not actively managing your site, and always verify URLs before clicking links — especially those from unexpected emails, social media, or forum posts. If you suspect you’ve been targeted, immediately change your admin password and review recently created user accounts for unauthorized additions.
To keep your store secure:
- Always keep WooCommerce and all plugins up to date.
- Use strong passwords and two-factor authentication.
- Regularly back up your site.
- Monitor your site for unusual activity.
I have other questions
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help. Open a support ticket.
We will continue to update this post as more information becomes available.
Leave a Reply