Critical Security Patch Released for the WordPress WooCommerce Plugin

A critical security patch for WooCommerce has been released today, June 10th 2024. This patch fixes a cross-site scripting (XSS) vulnerability in versions 8.8 and 8.9. Smarthost customers with a WordPress care plan can rest easy, as your site has already been updated and secured. For everyone else, action is needed ASAP to protect yourself from potential security risks.

Understanding the Vulnerability

The XSS vulnerability in WooCommerce 8.8 and 8.9 affects pages using the Classic Checkout. This vulnerability allows HTML and JavaScript injection. When exploited, attackers can inject links to malicious scripts which can then be sent to users. Although this injected content is not stored in the database, the risk it poses to user security is substantial.

Technical Details

The issue stems from a change introduced in WooCommerce 8.8, related to the Order Attribution feature. Initially added in version 8.5, this feature leverages the Sourcebuster.js library to track the source of traffic. In version 8.8, modifications to how this data was handled inadvertently created a security loophole. Specifically, the data from Sourcebuster was used to generate input fields on registration and classic checkout forms, making it possible for attackers to inject malicious code.

Actions Taken by WooCommerce

WooCommerce has acted swiftly to address this vulnerability. A patch has been developed and incorporated into WooCommerce version 9.0. Moreover, this fix has been backported to versions 8.8 and 8.9 to ensure that users who have not yet upgraded to the latest version can still secure their sites. The patched versions, 8.9.3 and 8.8.5, are available for download and immediate implementation.

How to Determine If You Are Affected

To check if your WooCommerce installation is vulnerable, you need to verify the version you are running. If your store operates on WooCommerce 8.8 or later and has the Order Attribution feature enabled, your site is at risk. It’s important to note that Order Attribution is enabled by default in these versions.

Steps to Secure Your Store

If your WooCommerce store is affected, it is crucial to take immediate action. The recommended steps are:

1. Update via WP-Admin: You can also update WooCommerce directly from the plugins section of your WP-Admin dashboard. To do this, log in to your WordPress admin area, navigate to “Plugins,” locate “WooCommerce,” and click on the “Update Now” button if an update is available. This method ensures that your WooCommerce plugin is quickly brought up to date with the latest security patches.
2. Update Your WooCommerce Version: Upgrade to WooCommerce 8.9.3 or the backported version 8.8.5. While the fix is also included in the upcoming WooCommerce 9.0, waiting for this release is not advisable. The updates can be downloaded from the following links:
   WooCommerce 8.9.3 (zip)
   WooCommerce 8.8.5 (zip)
3. Disable Order Attribution: If updating immediately is not feasible, disabling the Order Attribution feature can serve as a temporary fix. This step will prevent the vulnerability from being exploited until you can apply the necessary update.

Ongoing Security Commitment

At Smarthost, we prioritise the security of our customers’ online stores. Our proactive monitoring and rapid response to such vulnerabilities underscore our commitment to safeguarding your website. Customers who have purchased a WordPress care plan from Smarthost are already fully patched and secure, ensuring uninterrupted protection against emerging threats.

For users without a care plan, we strongly advise updating your WooCommerce plugin immediately. Keeping your software up-to-date is a critical practice in maintaining the security and integrity of your online store. Customers without a care plan can avail of our “Fix My WordPress Site” service and let us handle the upgrade for you, ensuring your site is secure and up-to-date.

Summary

The release of this critical patch for the WooCommerce plugin highlights the importance of regular updates and proactive security measures. By promptly applying these patches, online store owners can protect their sites from potential attacks and ensure a safe shopping experience for their customers. Smarthost remains dedicated to providing the best security and support for all our clients, ensuring their online operations run smoothly and securely.