Originally published on woocommerce.com
On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.
Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.
I have a WooCommerce store – what actions should I take?
Automatic software updates are rolling out now to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1.
Has any data been compromised?
Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
Is WooCommerce still safe to use?
Yes.
Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency.
Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed.
Our continued investment in platform security allows us to prevent the vast majority of issues – but in the rare cases that could potentially impact stores, we strive to fix quickly, communicate proactively, and work collaboratively with the WooCommerce Community.