Action required: Security update for WooCommerce June 11, 2024at 02:27 am By: James Byrne After Dark Grafx Your store requires an immediate update to the latest version of WooCommerce Today WooCommerce sent out the following email “Action required: Security update for WooCommerce”. Of course your website probably complains about plugins needing updates but this one is serious and should be completed ASAP! If you need help, please contact us, but be sure to make a backup of your database and site files before just clicking UPDATE. Hi there, To address a security vulnerability, we released an important security patch for WooCommerce (versions 8.8.5 and 8.9.3) on June 10, 2024. Your store requires an immediate update to the latest version of WooCommerce.If exploited, this vulnerability could allow bad actors to manipulate a website link to inject malicious content. What do I need to do? Click this image for a larger version. If your version of WooCommerce has already been updated to version 8.9.3 (or if auto-updates are enabled), no further action is required. If not, you’ll need to update it manually. To update: Log in to your store’s WP Admin dashboard and navigate to Plugins. Locate WooCommerce in your list of installed plugins and extensions. You should see an alert stating, “There is a new version of WooCommerce available.” Click the update now link displayed in this alert to update to version 8.9.3. If you don’t see the new version alert, please manually check your version number. If you are unable to update WooCommerce immediately, you should disable Order Attribution. This vulnerability is only exploitable if Order Attribution is enabled. What is the vulnerability? A security researcher originally reported the vulnerability to us as part of Automattic’s HackerOne Bug Bounty Program. This vulnerability could allow for cross-site scripting — a type of attack where a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin. Has my store’s data been compromised? We are not aware of any exploits of this vulnerability. What else can I do to keep my store secure? We always encourage merchants to maintain high security standards. This includes the use of strong passwords, two-factor authentication, careful monitoring of transactions, and using the latest, secure version of WooCommerce (and any other extensions or plugins installed on your site). Read more about security best practices. I use a version of WooCommerce older than 8.8.0; is my store impacted? The vulnerability impacts any site running the following versions of WooCommerce — specifically if the store has Order Attribution enabled(this is enabled by default). 8.8.0 8.8.1 8.8.2 8.8.3 8.8.4 8.9.0 8.9.1 8.9.2 If you are using an earlier stable, updated version of WooCommerce, your store is not affected. How do I know if my store is secure? If you are running the latest, patched version of WooCommerce (version 8.9.3, as well as the backported 8.8.5), your store is safe. Our Developer Advisory explains how to check your store’s WooCommerce version status, and includes other details related to the update. We encourage you to enable auto-updates to keep your plugin versions current and ensure you automatically receive all future security updates. We always strive for transparent and timely communication with our community. If you have any questions about this issue, please get in touchwith our Happiness team. Have Questions? Call Us Toll Free 1-888-578-8300 CONTACT US