Last update time: July 23, 2021
[ [
[
[
[
[
[
[
[
[ [ [ [ [
[
[ [ [ [] 123] On July 13, 2021, a security researcher Josh discovered and responsiblely disclosed a serious loopholes related to Woocommerce and Woocommerce Blocks functional plug -in. After learning about this problem, our team immediately conducted a thorough investigation, reviewed all relevant code libraries, and created a patch for each affected version (more than 90 versions) to repair this problem , The patch is automatically deployed to a store that is easily attacked.
I have a Woocommerce store -what measures should I take?
The automatic software update of WooCommerce 5.5.1 began to be launched on the affected version of each plug -in version of each plug -in version on July 14, 2021, but we still strongly recommend that you use the latest version. For woocommerce, this is 5.5.2 * or your publishing branch possible maximum number
. If you also run the Woocommerce Blocks, you should use the 5.5.1 version of the plugin.
Important Tips
: With 7 2021 On the 23rd, the release of WooCommerce 5.5.2, the above -mentioned automatic update process has stopped.
After updating to the patch version, we also recommend:
Update the password of any administrator user on your website, especially if they repeat the same password on multiple websites on multiple websites
Rotate any payment gateway and Wooocommerce API key used on your website. There are more information about these steps below. * Woocommerce 5.5.2 was released on July 23, 2021. The repair in this version has nothing to do with the recent security vulnerabilities.
How do I know whether my version is the latest?
The table below contains woocommerce and woocommerceThe complete list of repairs of the block. If you are running a version of WooCommerce or WooCommerce Blocks version in this list, please update to the highest version in your release branch immediately.
| 2.5.16 | |
| 3.5.9 | |
| [ | 3.6.6 |
| [123 ] 4.0.2 | 3.2.1 |
| 3.3.1 | |
| 4.3.4 | |
| 4.5.3 | 3.7.2 |
| 4.6.3 [123 | 3.8.1 |
| 4.7.2 | 3.9.1 |
| [ | 123] 4.0.1 |
| 4.9.3 | 4.1.1 |
| 4.4.3 | |
| 4.5.3 | |
| 4.6.1 | |
| 5.5.2 | |
| [ | |
| 5.1.1 | |
| 5.2.1 | |
| 5.3.2 | |
| 5.5.1 | |
| 123] Why didn’t my website update automatically? | Your website may not be updated automatically due to various reasons, some of which are most likely: the version before the affected version (below the Woocommerce 3.3), your website has clearly disabled automatic update. Your file system is read only, or there are potential conflict expansion that prevent update. |
in all cases (except the first example, you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you are not affected), you You should try to manually update to the latest repair version (such as 5.5.2, 5.4.2, 5.3.1, etc.), as shown in the above table. Are there any data leaked? According to the current available evidence, we think that any use is limited. If the store is affected, the exposed information will be specific to the content of the site, but may include orders, customers and management information.
How to check whether my store was used?
Due to the nature of this vulnerability, as well as WordPress (and Woocommerce) allows the extremely flexible way of processing web requests,There is no determined method to confirm the use of vulnerabilities. You can detect some use attempts by checking your network server access log (or help from your network host). From December 2019 to the present, the request in the following format may indicate an attack attempt:
[ 123] Request_uri matching regular expression
// wp-json/wc/store/products/color-data.*%25252.*/
Request_uri matching regular expression / .*/WC/Store/Products/Collection-Data.*%25252.*/ (Please note that this expression is not high/runs slowly in most log record environments) /WP-JSON/WC/Store/PRODUCTS/Collection-Data or
/REST_ROUTE \u003d/WC/Store/PRODUCTS/Collection-Data request (POST or PUT) request
-
We see that the request using this vulnerability comes from the following IP address, and more than 98% come from the first one in the list. If you see any of these IP addresses in the visit log, it should be assumed that the vulnerability has been used: -
- [ 123]
137.116.119.175
162.158.78.41
103.233.135.21 What password do I need to change? Your password is unlikely to be leaked because it has been handled by hash.
- WordPress user password uses salt for hash processing, which means that the hash value generated is difficult to crack. This salt hash method can protect your password as an administrator and the password of any other users (including customers) on your website. Although the hash version stored in the database may have been accessed through this vulnerability, the hash value should be difficult to recognize, and it can still protect your password from unauthorized use.
-
This assumes that your website is managing the use of standard WordPress passwords for users. According to the plug -in you installed on the site, your password or other sensitive information may be stored in a less secure way. -
-
We also recommend changing any private or secret data stored in WordPress/Woocommerce database. This may include the API key, the public key/private key of the payment gateway, etc., depending on your specific store configuration.
As an extended developer or service provider, should we remind us of our Woocommerce merchants?
If you cooperate with any real -time WOOCOMMERCE store or merchant, we encourage you to cooperate with them to ensure that they understand this problem and update their stores into a safe version.
If you build an extension program that depends on the Woocommerce API or provides SaaS services, we encourage you to help merchants reset the key to connect to your service.
As the owner, should I remind my customers?
Whether the customer is reminded to depend on you in the end. You notify the obligation of customers or reset your password and other contents according to your site infrastructure, the geographical location where your and your customers are located, the data you are collecting by your site, and whether your site has been invaded, etc. different.
The most important measure you can take to protect customers is to update your Woocommerce version as a version that has repaired this vulnerability.
After the update, we recommend:
The password of any administrator user on the site, especially when you reuse the same password on multiple websites
[ 123] Rotate any payment gateway and WooCommerce API key used on your website.
As the owner, you finally decided whether to take additional preventive measures, such as resetting the customer password. WordPress (and WooCommerce) user password uses salt for hash processing, which means that the hash value generated is difficult to crack. This salt hash method is suitable for all user passwords on your website, including your customer’s password.123]
Wooocommerce still use it safely?
Yes.
Incidents are not common, but unfortunately sometimes happen.Our intention always responds to immediately and operates in a completely transparent manner.
Since learning the vulnerability, the team has been working on night to ensure that the repair has been in place, and our users have been told.
- The continuous investment of platform security enables us to prevent most problems -but in a few cases that may affect the store, we strive to repair quickly, take the initiative to communicate, and cooperate with the Woocommerce community.
- What if I still have a problem?
If you have any further doubts or doubts about this issue, our happy engineer team will help you at any time -open support tickets.