We are committed to keeping our community informed and secure, which is why we are sharing an important update regarding WooCommerce Payments and WooCommerce Subscriptions extensions.
Recently, a security vulnerability was identified in these extensions. This vulnerability had the potential to allow unauthorized users to access limited, non-payment-related information about unpaid guest orders. The good news is we have already developed and deployed a patch to rectify this issue.
This patch is essential for all versions of WooCommerce Payments from 4.2.0 onwards and all versions of WooCommerce Subscriptions from 2.1.0 onwards. We’d like to assure our users that no evidence of an external breach has been detected.
What’s Next for Users?
For WordPress.com hosted stores:
• If your store is hosted on WordPress.com, you can rest easy. The extensions have been updated automatically to eliminate the vulnerability.
For non-WordPress.com hosted stores:
• If your store is hosted elsewhere, we urge you to update to the latest and secure version of the WooCommerce Payments and WooCommerce Subscriptions extensions. Here’s how you can do this:
• Visit your WordPress Admin dashboard, and from there, select the Plugins menu item.
• Look for WooCommerce Payments and/or WooCommerce Subscriptions in your list of plugins.
Updating WooCommerce Payments
If you are using WooCommerce Payments, ensure you have version 5.9.1. If your version is below this, you’ll need to update. To do this, you may either follow the notice displayed in the plugin description or download the latest version from your WooCommerce.com account dashboard. For users with versions between 3.2.0 and 4.1.1, a manual update is needed to one of the fixed versions, which include 5.9.1, 5.8.2, 5.7.1, and so on, down to 4.2.3.
Updating WooCommerce Subscriptions
For WooCommerce Subscriptions, ensure that your plugin version is 5.1.3. If your version lies between 2.1.0 and 5.1.2, please update by following the notice on the plugin description or by downloading the latest version from your WooCommerce.com account dashboard.
Concerned About Your Data?
While this vulnerability could have potentially allowed unauthorized access, we’ve found no evidence that it was exploited. We’re continuously monitoring the situation, and should there be any new information, we will notify you promptly.
Our goal is to maintain transparency and timely communication with our community. If you have any queries or concerns, our team is always here to assist. Please don’t hesitate to get in touch.