WooCommerce Patches Critical Vulnerability, Sending Forced Security Update from WordPress.org

WooCommerce 5.7.0 Patches Security Issue that Could Potentially Leak Analytics Reports

Posted by WP Tavern on September 24, 2021 at 11:47 am
kitty kitty CATegory News
WooCommerce shipped version 5.7.0 through a forced update for some users earlier this week. The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting configurations: On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. This was technically classified as a broken access control vulnerability, according to the WPScan. WordPress.org pushed an automatic update to affected stores beginning on September 21, for all sites that have not explicitly disabled automatic updates. The WooCommerce team created a patch for 18 versions back to 4.0.0, along with 17 patched versions of the WooCommerce Admin plugin. Those whose filesystem is set to read-only or who are running WooCommerce versions older than 4.0.0 will not have received the automatic update and should proceed to manually update their sites. WooCommerce recommends users update to the latest version, which is now 5.7.1, or the highest number possible in your release branch. The security announcement post has detailed instructions for how store owners can check to…

…Full post on WP Tavern
Read Full

Similar Posts

Notify of
Inline Feedbacks
View all comments