WooCommerce shipped model 5.7.0 by a pressured replace for some customers earlier this week. The minor launch was not billed as a safety replace however the next day WooCommerce printed a put up explaining that the plugin was weak to having analytics reviews leaked on some internet hosting configurations:
On September 21, 2021, our workforce launched a safety patch to deal with a server configuration setup utilized by some hosts, which below the fitting circumstances could make some analytics reviews publicly out there.
This was technically categorised as a damaged entry management vulnerability, in line with the WPScan.
WordPress.org pushed an computerized replace to affected shops starting on September 21, for all websites that haven’t explicitly disabled computerized updates. The WooCommerce workforce created a patch for 18 variations again to 4.0.0, together with 17 patched variations of the WooCommerce Admin plugin. These whose filesystem is ready to read-only or who’re working WooCommerce variations older than 4.0.0 is not going to have obtained the automated replace and will proceed to manually replace their websites.
WooCommerce recommends customers replace to the most recent model, which is now 5.7.1, or the best quantity potential in your launch department. The safety announcement put up has detailed directions for the way retailer house owners can examine to see if their report information could have been downloaded.
Greater than 5 million WordPress websites use WooCommerce. On the time of publishing, 59.8% are working on model 5.4 or older. Solely 12.8% are utilizing the lates 5.7.x launch. It’s not potential to see what number of websites are nonetheless weak, as a result of WordPress.org solely shows a breakdown for the main branches customers have put in. Some web site house owners working older variations should still be energetic in making use of safety patches however not ready to replace to the most recent launch.
WooCommerce 5.7.1 was launched earlier at the moment after the workforce obtained a number of reviews of damaged websites following the 5.7.0 replace. This launch consists of fixes for regressions and new bugs recognized within the earlier replace.