We’re getting in touch with you, as a past or current SpiderSavvy user (with a WordPress or WooCommerce site), about a WooCommerce security vulnerability that has been identified and patched by the WooCommerce team.
As a WooCommerce development partner, we’ve been asked to communicate this to SpiderSavvy clients and users to help ensure that affected sites are updated to address this vulnerability.
WooCommerce is pushing out automated updates, where possible, to patch the vulnerability, but you should check and perform updates where required if your site is affected.
The email sent out by WooCommerce relating to this is displayed in full below, which includes details of the action that should be taken. In addition, woo’s blog post on vulnerability is here.
If you would need direct support from WooCommerce, you can create a support ticket here: https://woocommerce.com/my-account/create-a-ticket/.
Suppose your site is affected based on the above-identified versions of WooCommerce and the WooCommerce Blocks plugin. You would like support from a SpiderSavvy Expert about updating your Website. In that case, you can post on SpiderSavvy as usual.
ORIGINAL NOTIFICATION EMAIL FROM WOOCOMMERCE
What actions should I take with my store?
Stores hosted on WordPress.com and WordPress VIP have already been secured. We are working with the WordPress.org Plugin Team to automatically update as many stores as possible to secure versions of WooCommerce. We also urge you, however, to take the following added precautions to safeguard your site:
- Update your copy of WooCommerce to the latest version (5.5.1) or the highest number possible in your release branch.
- If you are running the WooCommerce Blocks feature plugin, you’ll need to update it to the latest version (5.5.1).
What does this mean for my store?
Our investigation into this vulnerability is ongoing, but we wanted to let you know now about the importance of updating immediately.
We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.
What can I expect from WooCommerce in the future?
Our intention is always to respond immediately and operate with complete transparency. Since we discovered this vulnerability yesterday, the WooCommerce team has worked around the clock to investigate the issue, audit all related codebases, and release a patch for every impacted version (90+ releases).
If you have any other questions, we’re here to help – reply to this email.