| a critical vulnerability was identified in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5). |
| What actions should I take with my store? Stores hosted on WordPress.com and WordPress VIP have already been secured. We are working with the WordPress.org Plugin Team, and automatic software updates to secure versions of WooCommerce are currently rolling out to all stores running impacted versions of each plugin. We still urge you to ensure that you’re using the latest versions of WooCommerce and WooCommerce Blocks (5.5.1). |
| To do this without causing issues, first update your copy of WooCommerce to the highest number possible in your release branch – this will ensure your website is no longer vulnerable. For example: If your store is running WooCommerce 4.8, first update to WooCommerce 4.8.1 – the highest version number in that branch – before going ahead and updating to WooCommerce 5.5.1. If you are running the WooCommerce Blocks feature plugin, you’ll need to update it to the latest version (5.5.1). |
| What does this mean for my store? Our investigation into this vulnerability is ongoing, but we wanted to let you know now about the importance of updating immediately. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information. |
| What can I expect from WooCommerce in the future? Our intention is always to respond immediately and operate with complete transparency. Since we discovered this vulnerability yesterday, the WooCommerce team has worked around the clock to investigate the issue, audit all related codebases, and release a patch for every impacted version (90+ releases). |
| If you have any other questions, we’re here to help – reply to this email. |