On May 28, 2024, Woo’s engineering team discovered an issue within WooCommerce (versions 7.8 and above) that caused the unintentional collection of specific visitor data by Automattic, Woo’s parent company.
This issue only pertained to WooCommerce stores that had data tracking enabled and did not have their store connected to Jetpack.
The specific visitor data collected by Automattic included visitor IP addresses, timestamps, referrers, user agents, and several other HTTP-specific details. No sensitive customer or user data, nor any payment data was collected due to this issue.
The collected data logs were stored securely on Automattic’s servers. None of the data was externally accessed, and all data from stores with a patched WooCommerce version active will be removed in the next few days based on Automattic’s default, 14-day retention policy.
Woo’s engineering team developed and released a patch for WooCommerce on June 4th, 2024 that addressed the issue. Woo merchants using automatic updating should already have the patch installed, and no further action should be necessary.
About the issue
With the release of WooCommerce 7.8, a change was made that caused an external file (in this case, https://stats.wp.com/w.js) to be requested by the store front end if the store also opted into WooCommerce usage tracking. When this file was unintentionally requested, details about the request (including the visitor data mentioned above) were recorded to server request logs on servers hosted on Automattic infrastructure.
Woo’s engineering team addressed the issue by creating patched versions of WooCommerce 7.0 to 8.9. Updates were released as of June 4th, 2024.
You can read more details in this Developer Advisory on the Woo Developer Blog.
How can I tell if my store was affected?
To determine if your WooCommerce installation is affected by this issue, check the versions of WooCommerce you are running. If your site has any of WooCommerce versions 7.8.0 through 8.9.1 active and your store has tracking enabled, you are likely affected. If your store is connected to Jetpack you may still see the “https://stats.wp.com/w.js” file loading when certain features are active (e.g. Jetpack search).
How do I protect my store?
The Woo team released a WooCommerce patch to address the issue starting June 4, 2024. We encourage you to ensure your store has the latest patched version of WooCommerce active.
Latest Patched Versions of WooCommerce from 7.0 to 8.9 (download the latest release from WordPress.org)
8.9.2 | 8.8.4 | 8.7.1 | 8.6.2 | 8.5.3 | 8.4.1 |
8.3.2 | 8.2.3 | 8.1.2 | 8.0.4 | 7.9.1 | 7.8.3 |
We are proactively communicating with Woo merchants about this update out of an abundance of caution and as part of our commitment to data privacy. Once again, no sensitive information was accessed, and all of the specific visitor data that was collected was temporarily and securely stored on Automattic’s servers.
If you have further concerns or questions, our team of Happiness Engineers is on hand to help—please open a support ticket.