A critical vulnerability in WooCommerce and WooCommerce Blocks has been discovered. This was discovered by a security researcher and a public announcement was made this morning.
Automattic, the WooCommerce plugin developers, have announced the vulnerability and released a security patch which closes the vulnerability in all 90+ affected versions of WooCommerce. The actual details on the vulnerability are unclear at this point.
This impacts WooCommerce installations from versions 3.3 to 5.5, and versions 2.5 to 5.5 for WooCommerce Blocks. The released security patch is version 5.5.1.
It is imperative that WooCommerce installations are up to date. The WooCommerce team is also recommending that merchants update their login credentials after updating to mitigate any possible exploit vectors.
The Fixed.net team are currently working with customers to update all WooCommerce and WooCommerce Blocks installations smoothly. We are handling this proactively as part of our WordPress maintenance offering.
If you would like more information on the issue, or are concerned about your website, you can contact us, and we'll inform you on the state of your web store installation.
Should you not already be a Fixed.net client, we are able to assist with upgrades and issues relating to the WooCommerce update. We can also help with any malware and phishing cleanups that may result from out of date WordPress and WooCommerce sites that are not maintained.