WooCommerce releases patch for the flaw that affects WordPress sites

Millions of WordPress sites threatened by the vulnerability: potential data compromise

Vulnerability can affect WordPress sites, so the company released critical patches for the security flaw.

On July 13, 2021, WordPress open source plugin WooCommerce faced security threats as the company's HackerOne program identified a critical threat. No time was speared as a new patch is already created with hopes to fix dangerous vulnerabilities and avoid serious issues.

It was identified that the newly discovered flaw affected the WooCommerce plugin versions 3.3 to 5.5, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin. As the company is under investigation due to security reasons, a new automatic patch should fix the problem, at least temporarily ^[1].

The company advises everyone who could have been affected to ensure that they're using the latest version of a software update which, for WooCommerce is 5.5.1 or the highest number possible in your release branch. Users that are also running WooCommerce Blocks, should be using version 5.5.1.

Due to critical flaw million sites were put in danger as their data could have been compromised. However, as of right now it is rather unclear whether any data of those affected had been compromised at all. WooCommerce promises to be in touch with site owners if during further investigation more questions will arise and every client is advised to take precautions ^[2].

As of right now, no cybersecurity breaches were noted

All sites on the WordPress.com platform have already received updated plugin fix as affected WooCommerce installations are currently under reconstruction. The company strongly recommends following update news and change all passwords whether you believe your system was compromised or not.

The flaw was considered critical because of the possibility that an attacker could take advantage of the SQL injection flaw and could obtain store-related information, administrative details, and even data about orders and customers. However, good thing is, security specialists haven't seen any real criminal action yet.

Information about the bug was found after a security researcher reported it through the Automatic bug bounty program on HackerOne. Due to the rewards systems of said program and the severity of the found flaw, the researcher will get a $500 bounty. HackerOne is a powered security platform that connects businesses with penetration testers and cybersecurity researchers^[3].

WordPress plugins constantly face security problems

WordPress is the website's operating system, while WooCommerce is a plugin that helps to create a fully functioning e-store^[4]. However, it seems that WordPress is currently facing more than one security problem as just a few weeks ago information about four other security issues that apparently were discovered in May, became public.

These flaws made it possible for an attacker to escalate user privileges and upload malicious code – resulting in the complete takeover of a WordPress site. The weak link of the site seemed to be the plugin ProfilePress which facilitates the uploading of WordPress user profile images^[5].

Originally, the plugin should only function when uploading photos, however, a recent change saw the plugin augmented with features including user login and registration. This lead to privilege escalation, bugs, and malicious uploads problems which attracted security experts' attention. Again, companies only suggestion was to update systems to the latest version available.