WooCommerce team provided a security patch to resolve an issue in the server configuration setup used by some hosts. The vulnerability could make some analytics reports publicly available under specific conditions.
The update became available on the 21st of September and was automatically applied to many of the impacted versions of WooCommerce. However, it is still recommended to ensure that your store receives the update and install it manually if needed.
The patched version numbers for each of the supported WooCommerce and WooCommerce Admin are following:
Patched versions of WooCommerce
– 4.0.3
– 4.1.3
– 4.2.4
– 4.3.5
– 4.4.3
– 4.5.4
– 4.6.4
– 4.7.3
– 4.8.2
– 4.9.4
– 5.0.2
– 5.1.2
– 5.2.4
– 5.3.2
– 5.4.3
– 5.5.3
– 5.6.1
– 5.7.0
Patched versions of WooCommerce Admin
– 1.0.4
– 1.1.4
– 1.2.5
– 1.3.3
– 1.4.1
– 1.5.1
– 1.6.4
– 1.7.4
– 1.8.4
– 1.9.1
– 2.0.4
– 2.1.6
– 2.2.7
– 2.3.2
– 2.4.5
– 2.5.2
– 2.6.4
Also, WooCommerce recommended disabling Directory Listing on your server. This feature displays a list of every file present in the web directory if there is no index file available. You can check it by visiting your.domain/wp-content/uploads
.
As for the vulnerability - you can also check if your reports were active by doing the following:
- open
your.domain/wp-admin/options.php
and search for the fieldwoocommerce_admin_report_export_status
. Your reports could have been downloaded if this field is present. - open
your.domain/wp-content/uploads
. Normally you should receive a blank page. However, if you see the list of files, your report file could be publicly accessible.
If you’re unsure how to check this or apply the patch, don’t hesitate to contact us. We’ll gladly help you to deal with this vulnerability or with any other of your needs.