WooCommerce June 2024 Security Vulnerability

WooCommerce has advised that there is a vulnerability in WooCommerce for several versions overnight.

The vulnerability is linked to the Order Attribution setting, allowing hackers to inject malicious links into the website code.

Website owners are advised to update the plugin for the latest security update as soon as possible.

Alternatively, users may turn off Order Attribution in the interim if the new version causes problems with your site.

Clients using the WP Toolkit Smart Update tool have updates automatically run for them in the next day cycle, with the benefit of real-time site testing before changes are pushed live.

Those on Security Plus powered by Security also benefit from cross-site script block features.

What versions are impacted?

The following versions of WooCommerce are impacted by this vulnerability:

  • 8.8.0
  • 8.8.1
  • 8.8.2
  • 8.8.3
  • 8.8.4
  • 8.9.0
  • 8.9.1
  • 8.9.2

With the order attribution setting on. Note that it’s on by default.

How to update the WooCommerce plugin

If your version of WooCommerce has already been updated to version 8.9.3 (or auto-updates are being used), no further action is required.

If not, you’ll need to update it manually.

To update:

  1. Log in to your WordPress Admin dashboard and navigate to Dashboard > Updates (you can also access this for True Green® clients in the GROW dashboard via My Services > Login to cPanel > WP Toolkit or Softaculous).
  2. Locate WooCommerce for updates; you should see an alert for the new version. If not listed, the update may have already occurred. Check the Plugins page to verify your version of WooCommerce.
  3. Click the update now link to update version 8.9.3 in this alert.
WooCommerce version 8.9.3 update for security vulnerability in WordPress dashboard updates

Make sure you have a site backup in case something goes wrong. Backups are located for True Green® clients in My Services > Login to cPanel > Acronis.

If you’re updating from versions before 8.9.2, be careful as other updates may conflict with your website.

How to turn off the order attribution setting

You can enable (or disable) this feature by going to WooCommerce > Settings > Advanced > Features > Order Attribution.

Note that this is a temporary measure because there’s a risk someone may still log in to your site and turn this on. So it is highly advisable to use the most recent version 8.9.3 as soon as you can.

Is WooCommerce secure?

WooCommerce is used by millions of websites around the world.

Plugins often have security vulnerabilities as they update their features to improve their services. This particular issue was reported through a bounty program. Whereby third-party users or ethical hackers can report issues to WooCommerce and receive a monetary incentive for doing so.

Software as a Service providers like Shopify also have these issues; however, they do not rely on user action, given they can provide real-time updates automatically.

WooCommerce is a trusted and reliable provider of online stores on WordPress.

It’s always advisable to keep your site software up to date to protect your website from hackers and bad traffic.

Please note that hackers do not pick sites based on the website’s size. It’s often done at random and using mass-scale bot technology.

How does True Green® Hosting keep me secure?

Like many other tools, incidents like this happen because WordPress is an open content management system. That allows developers to build a highly flexible and customisable platform for many businesses and organisations.

We provide clients with advanced firewalls and security to help protect their accounts, along with hourly backups via Acronis.

The Smart Update tool in WP Toolkit (My Services > Login to cPanel > WP Toolkit) is also suggested for enjoying automatic updates as they come in from providers.

We suggest adding Security Plus, powered by Sucuri, for eCommerce and sites that collect personal information. This enterprise-grade protection also offers free malware clean-ups if your site gets compromised by a login, plugin, theme or software issue.

In addition, incidents like this we take seriously and, given WooCommerce’s high usage, have conducted a network-wide audit to identify those using a vulnerable version of the plugin on our True Green® Hosting network.


More Posts

Send Us A Message