A Critical WooCommerce Vulnerability Promptly Addressed
Last week, the Woo team announced a critical vulnerability in the most popular eCommerce plugin for WordPress – WooCommerce. As described in their post, security updates were pushed to all Woo branches for users who have not disabled such updates. This was done in a very fast and efficient way. Furthermore, the Woo team has been extremely cooperative with providing all the needed information that allowed us to proactively add security rules to our WAF (Web Application Firewall) for an additional layer of protection. Read below to learn more about all actions taken and their results.
Branched updates pushed by Woo
Due to the severity of the vulnerabilities discovered, the WooCommerce team has worked more than 36 hours around the clock to patch every major release branch. This means that you don’t have to switch from WooCommerce 4 to 5 to protect yourself. Those updates were pushed and if not explicitly disabled, most probably your Woo has been already patched. However, we strongly recommend that you check this! All WooCommerce versions prior to the latest patch are vulnerable. You can check your version and compare it to the WooCommerce Releases (https://developer.woocommerce.com/releases/) page. For example, if you have WooCommerce 5.5.1 you should simply update to 5.5.2. That will fix the security problem without breaking any functionality.
Proactive WAF protection set by SiteGround
In regards to security, we’ve always believed that being proactive is the best approach. This particular vulnerability was no exception. As soon as we were informed about it by the Woo team, we acted immediately and added a new security rule to our Web Application Firewall (WAF) – an elaborate system for exploit prevention, running on all of our servers. You can think of the firewall as a set of rules that address exploit attempts. We are constantly on the watch out for information about common security issues and we are quick to act by adding security rules so that our system can block attempts to exploit such issues. WAF will not patch a security hole of a particular website, which can be only done through updating with the security release, but prevents attackers from using it to gain unauthorised access to your site.
You may wonder why you need a WAF rule when the Woo team is fast to release a new security version. We do it to ensure that clients have more time to react, during which their sites are safe from the exploit. While the majority of the WooCommerce users are automatically updated by Woo, some sites are not updated for various reasons – auto-updated failed, disabled, or postponed too far in the future. Some webmasters prefer to manage the updates themselves, mainly as they want to be sure that the update does not mess with any of their website functionality. After all, we are usually talking about online stores, relying on many additional plugins for shipping, payments, tracking, taxation, and many more. For these people, the WAF rules provide time to make sure all their critical functionality will work with the new Woo version.
As a whole, the handling of this Woo vulnerability shows how the combined efforts of responsible plugin developers and your hosting company pay off – even in emergency situations your clients are safe and business continues as usual!
Comments ( 5 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Barry Brunning
Hi Hristo, I have auto-updates off on all plugins, but even so the update was forced somehow by WooCommerce. First, i started digging as to why an update had occurred with auto-updates off. Was this some new Wordpress interpretation of auto-update I wondered. As a result of Google searches I found the details of the 'forced update' for WooCommerce. Second, adding insult to injury, the email I received told me an update had occurred, however, it did not say it was forced. Even worse, it contended no further action was required on my part! How would they know? In fact I have plugin modifications, which is partly why auto-update is off. So now our system was not acting as intended. Yes, they may have been under pressure, but could do better IMHO. Regards, Barry Brunning
Hristo Pandjarov Siteground Team
Such forced updates are permitted by WordPress only in serious cases like this one. That was a branched update which means that the only new thing you should have received is basically the security fix. Adding code to WooCommerce directly is a very bad idea and shouldn't be done. Instead, you can register a new plugin or use the theme's function.php page to add your custom code.
David Shepherd
Was it actually necessary to force update WooCommerce plugins as well as WooCommerce itself? There is a specific reason why one of mine is not at latest version and automatic updates are disabled. My payment system is now broken.
Hristo Pandjarov Siteground Team
Such updates were not forced. I would recommend to contact your plugin developers in order to get additional assistance on that matter. Meanwhile, you can restore from a backup to a previous version.
Nick N.
Thanks guys!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through