A Critical WooCommerce Vulnerability Promptly Addressed

Last week, the Woo team announced a critical vulnerability in the most popular eCommerce plugin for WordPress – WooCommerce. As described in their post, security updates were pushed to all Woo branches for users that have not disabled such updates. This was done in a very fast and efficient way. Furthermore, the Woo team has been extremely cooperative with providing all the needed information that allowed us to proactively add security rules to our WAF (Web Application Firewall) for an additional layer of protection. Read below to learn more about all actions taken and their results.

Branched updates pushed by Woo

Due to the severity of the vulnerabilities discovered, the WooCommerce team has worked more than 36 hours around the clock to patch every major release branch. This means that you don’t have to switch from WooCommerce 4 to 5 to protect yourself. Those updates were pushed and if not explicitly disabled, most probably your Woo has been already patched. However, we strongly recommend that you check this! All WooCommerce versions prior to the latest patch are vulnerable. You can check your version and compare it to the WooCommerce Releases (https://developer.woocommerce.com/releases/) page. For example, if you have WooCommerce 5.2.2 you should simply update to 5.2.3. That will fix the security problem without breaking any functionality.

Proactive WAF protection set by SiteGround

In regards to security we’ve always believed that being proactive is the best approach. This particular vulnerability was no exception. As soon as we were informed about it by the Woo team, we acted immediately and added a new security rule to our Web Application Firewall (WAF) – an elaborate system for exploit prevention, running on all of our servers. You can think of the firewall as a set of rules that address exploit attempts. We are constantly on the watch out for information about common security issues and we are quick to act by adding security rules, so that our system can block attempts to exploit such issues. WAF will not patch a security hole of a particular website, which can be only done through updating with the security release, but prevents attackers from using it to gain unauthorised access to your site.

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.


Please check your email to confirm your subscription.

You may wonder why you need a WAF rule when the Woo team is fast to release a new security version. We do it to ensure that clients have more time to react, during which their sites are safe from the exploit. While the majority of the WooCommerce users are automatically updated by Woo, some sites are not updated for various reasons – autoupdated failed, disabled or postponed too far in the future. Some webmasters prefer to manage the updates themselves, mainly as they want to be sure that the update does not mess with any of their website functionality. After all, we are usually talking about online stores, relying on many additional plugins for shipping, payments, tracking, taxation and many more. For these people the WAF rules provide time to make sure all their critical functionality will work with the new Woo version.

As a whole, the handling of this Woo vulnerability shows how the combined efforts of responsible plugin developers and your hosting company pay off – even in emergency situations your clients are safe and business continues as usual!

author avatar
Hristo Pandjarov

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!


Comments ( 2 )

author avatar

Barry Brunning

Jul 22, 2021

Hi Hristo, I have auto-updates off on all plugins, but even so the update was forced somehow by WooCommerce. First, i started digging as to why an update had occurred with auto-updates off. Was this some new Wordpress interpretation of auto-update I wondered. As a result of Google searches I found the details of the 'forced update' for WooCommerce. Second, adding insult to injury, the email I received told me an update had occurred, however, it did not say it was forced. Even worse, it contended no further action was required on my part! How would they know? In fact I have plugin modifications, which is partly why auto-update is off. So now our system was not acting as intended. Yes, they may have been under pressure, but could do better IMHO. Regards, Barry Brunning

author avatar

Hristo Pandjarov Siteground Team

Jul 23, 2021

Such forced updates are permitted by WordPress only in serious cases like this one. That was a branched update which means that the only new thing you should have received is basically the security fix. Adding code to WooCommerce directly is a very bad idea and shouldn't be done. Instead, you can register a new plugin or use the theme's function.php page to add your custom code.


Start discussion