The company found that the vulnerability affected the WooCommerce plugin versions 3.3 to 5.5, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin.
WooCommerce says it began conducting an investigation, audited all related codebases, and deployed an automatic patch fix to all stores that were affected.
In a security update blog post, WooCommerce said: “Automatic software updates are rolling out now to all stores running impacted versions of each plugin, but we still highly recommend you ensure that you’re using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you’re also running WooCommerce Blocks, you should be using version 5.5.1.”
It is still unclear whether the data of those affected had been compromised, although WooCommerce has said it will be sharing more information with site owners on how to investigate this particular security vulnerability on their websites, as and when the information becomes available.
If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information, WooCommerce revealed.
In an email, WooCommerce informed online store owners that stores hosted on WordPress.com and WordPress VIP had already been secured.
WooCommerce provided the patch to WordPress.org, with automatic software updates still in the roll out process. This will be for the security of all stores running on impacted versions of each plugin.
The company is still working with the WordPress.org Plugin Team to automatically update as many stores as possible to “secure versions of WooCommerce”.
It has also been advised that after installing the patched version, online store owners should update their passwords.
Via WP Tavern