On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh, via our HackerOne security program.
Upon learning about the issue, WooCommerce team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.
After updating to a patched version, WooCommerce team also recommend:
- Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites
- Rotating any Payment Gateway and WooCommerce API keys used on your site.