A critical security vulnerability has been identified in WooCommerce and the WooCommerce Blocks plugin, necessitating an emergency update. This update needs to be applied immediately to keep your site safe.
Managed WordPress Customers
Conetix will install the update on your behalf. This is being rolled out at present and we expect all sites to be patched and fully protected very shortly.
Update: All managed clients have been patched.
If you login to your WordPress instance and you’re running WooCommerce 5.5.1, 5.4.2, 5.3.1 or 5.2.3 then your system has been patched.
Standard Hosting Customers and Virtual Private Server Customers
For all plans where Conetix doesn’t manage the WordPress updates on your behalf, you or your developer will need to perform the update yourself.
We highly recommend ensuring you take a backup before running the update.
Frequently Asked Questions
How do I know if I’m affected?
All WooCommerce versions between 3.3 and 5.5 are affected
All WooCommerce Block versions between 2.5 and 5.5 are affected
Which version is up-to-date?
Only 5.5.1 is up-to-date and protected against the vulnerability.
Update: The WooCommerce team are releasing backported updates. For example, if you’re running WooCommerce 5.4, 5.4.2 has been released which contains the fix.
Please check the releases list for versions released 14 July 2021: https://developer.woocommerce.com/releases/
What can be exploited?
At this stage, we’re not sure on the ramifications of the vulnerability are. The priority is to patch the sites to ensure it simply can’t be exploited.
Update: The exploit had been used to gain access to a list of administrator accounts along with hashed versions of the password. As a precaution, we recommend updating your administrator passwords.
How do I know if I’ve been exploited?
The Conetix team is reviewing logs to determine how to detect if a site has been exploited and if so, what the implications are. We will individually contact all affected customers on our platform.