Today Woo’s engineering team deployed an important update for WooCommerce. The update addresses a vulnerability that could allow bad actors to inject malicious content in the browser. The Woo team has also contacted WooCommerce merchants whose stores may be vulnerable.
This issue was limited to WooCommerce stores running the following WooCommerce versions that also had Order Attribute enabled, a feature that is enabled by default in WooCommerce:
8.8.0 | 8.8.1 | 8.8.2 | 8.8.3 |
8.8.4 | 8.9.0 | 8.9.1 | 8.9.2 |
If you are running WooCommerce 8.8.0 or later, we strongly recommend updating as soon as possible.
Actions you should take to ensure your store is updated
If you don’t have the right version installed already, you’ll need to update it manually.
To update the extension:
- Log in to your store’s WP Admin dashboard and navigate to Plugins.
- Locate WooCommerce in your list of installed plugins and extensions. You should see an alert stating, “There is a new version of WooCommerce available.”
- Click the update now link displayed in this alert to update to version 8.9.3.
If you are unable to update WooCommerce immediately, you should disable Order Attribution. This vulnerability is only exploitable if Order Attribution is enabled.
You can read more about the update in this Woo Developer Advisory, including how to check your store’s version status.
What is the vulnerability?
This vulnerability could allow for cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin.
Has my store’s data been compromised?
We are not aware of any exploits of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have received no reports of it being exploited and our engineering team analyses did not reveal it had been exploited.
I use a version of WooCommerce older than 8.8.0; is my store impacted?
The vulnerability impacts any WooCommerce Shop running WooCommerce 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.9.0, 8.9.1, 8.9.2, specifically if the store has Order Attribution enabled (this is enabled by default). If you are using an earlier stable, updated version of WooCommerce, your store is not affected.
How do I know if my store is safe?
If your store is running the latest, patched version of WooCommerce (8.9.3), it is safe.
What else can I do to keep my store secure?
We always encourage merchants to maintain high security standards. This includes the use of strong passwords, two-factor authentication, careful monitoring of transactions, and using the latest, secure version of WooCommerce (and any other extensions or plugins installed on your site). Read more about security best practices.
If you have further concerns or questions, our team of Happiness Engineers is on hand to help — please open a support ticket.
Special Thanks
We are grateful for the help of security researcher ecaron, who worked with us to uncover this vulnerability as part of Automattic’s HackerOne Bounty Program.