On July 13th a critical vulnerability with WooCommerce and the WooCommerce Blocks feature plugin was identified. 🔓
Beau Lebens at WooCommerce says it’s not clear yet if data was compromised: “Our investigation into this vulnerability and whether data has been compromised is ongoing.”
Wordfence also has some details if you are interested. Tony Perez explains what SQL Injection (SQLi) vulnerabilities are, and in this case, he shows the exact lines of problem code in Woo that caused the problem.
For most WordPress users and site owners, it’s simple: Upgrade as soon as possible, although forced, automatic software updates are currently rolling out. Updates have rolled out for multiple branches, although it’s always recommended to be on the latest versions of WooCommerce and WooCommerce Blocks (5.5.1 at the time of this writing).
Security issues can arise anywhere, and from what I can see, WooCommerce acted pretty quickly.
This news overshadowed the 5.5.0 release a little. Although it’s a minor release, it did include new versions of Action Scheduler, it hides PayPal Standard on new installs, and IE 11 support will no longer be available.