A Critical WooCommerce Vulnerability Promptly Addressed
Last week, the Woo team announced a critical vulnerability in the most popular eCommerce plugin for WordPress – WooCommerce. As described in their post, security updates were pushed to all Woo branches for users that have not disabled such updates. This was done in a very fast and efficient way. Furthermore, the Woo team has been extremely cooperative with providing all the needed information that allowed us to proactively add security rules to our WAF (Web Application Firewall) for an additional layer of protection. Read below to learn more about all actions taken and their results.
Branched updates pushed by Woo
Due to the severity of the vulnerabilities discovered, the WooCommerce team has worked more than 36 hours around the clock to patch every major release branch. This means that you don’t have to switch from WooCommerce 4 to 5 to protect yourself. Those updates were pushed and if not explicitly disabled, most probably your Woo has been already patched. However, we strongly recommend that you check this! All WooCommerce versions prior to the latest patch are vulnerable. You can check your version and compare it to the WooCommerce Releases (https://developer.woocommerce.com/releases/) page. For example, if you have WooCommerce 5.5.1 you should simply update to 5.5.2. That will fix the security problem without breaking any functionality.
Proactive WAF protection set by SiteGround
In regards to security we’ve always believed that being proactive is the best approach. This particular vulnerability was no exception. As soon as we were informed about it by the Woo team, we acted immediately and added a new security rule to our Web Application Firewall (WAF) – an elaborate system for exploit prevention, running on all of our servers. You can think of the firewall as a set of rules that address exploit attempts. We are constantly on the watch out for information about common security issues and we are quick to act by adding security rules, so that our system can block attempts to exploit such issues. WAF will not patch a security hole of a particular website, which can be only done through updating with the security release, but prevents attackers from using it to gain unauthorised access to your site.