A Critical WooCommerce Vulnerability Promptly Addressed

Last week, the Woo team announced a critical vulnerability in the most popular eCommerce plugin for WordPress – WooCommerce. As described in their post, security updates were pushed to all Woo branches for users that have not disabled such updates. This was done in a very fast and efficient way. Furthermore, the Woo team has been extremely cooperative with providing all the needed information that allowed us to proactively add security rules to our WAF (Web Application Firewall) for an additional layer of protection. Read below to learn more about all actions taken and their results.

Branched updates pushed by Woo

Due to the severity of the vulnerabilities discovered, the WooCommerce team has worked more than 36 hours around the clock to patch every major release branch. This means that you don’t have to switch from WooCommerce 4 to 5 to protect yourself. Those updates were pushed and if not explicitly disabled, most probably your Woo has been already patched. However, we strongly recommend that you check this! All WooCommerce versions prior to the latest patch are vulnerable. You can check your version and compare it to the WooCommerce Releases (https://developer.woocommerce.com/releases/) page. For example, if you have WooCommerce 5.5.1 you should simply update to 5.5.2. That will fix the security problem without breaking any functionality.

Proactive WAF protection set by SiteGround

In regards to security we’ve always believed that being proactive is the best approach. This particular vulnerability was no exception. As soon as we were informed about it by the Woo team, we acted immediately and added a new security rule to our Web Application Firewall (WAF) – an elaborate system for exploit prevention, running on all of our servers. You can think of the firewall as a set of rules that address exploit attempts. We are constantly on the watch out for information about common security issues and we are quick to act by adding security rules, so that our system can block attempts to exploit such issues. WAF will not patch a security hole of a particular website, which can be only done through updating with the security release, but prevents attackers from using it to gain unauthorised access to your site.

You may wonder why you need a WAF rule when the Woo team is fast to release a new security version. We do it to ensure that clients have more time to react, during which their sites are safe from the exploit. While the majority of the WooCommerce users are automatically updated by Woo, some sites are not updated for various reasons – autoupdated failed, disabled or postponed too far in the future. Some webmasters prefer to manage the updates themselves, mainly as they want to be sure that the update does not mess with any of their website functionality. After all, we are usually talking about online stores, relying on many additional plugins for shipping, payments, tracking, taxation and many more. For these people the WAF rules provide time to make sure all their critical functionality will work with the new Woo version.

As a whole, the handling of this Woo vulnerability shows how the combined efforts of responsible plugin developers and your hosting company pay off – even in emergency situations your clients are safe and business continues as usual!