Developer Advisory

Important security patch released in WooCommerce

On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.

What actions should I take?

Automatic software updates began rolling out on September 21, 2021, to all stores running impacted versions of WooCommerce, but we still highly recommend you ensure that you’re using a patched version. This is 5.7.0 or the highest number possible in your release branch.

After updating to a patched version, we also recommend disabling Directory Listing on your web server, if it isn’t already. This feature displays a list of every file in the web directory when there is no index file present. You can check if this is active by visiting <domain>/wp-content/uploads in a browser. If you’re not sure how to disable this, please contact your web host directly.

How do I know if my version is up-to-date?

The table below contains the full list of patched versions of WooCommerce and WooCommerce Admin. If you are running a version of WooCommerce that is not on this list, please update immediately to the highest version in your release branch. Once you update to any of the patched versions of WooCommerce below, WooCommerce Admin should update automatically.

Patched versions of WooCommerce
– 4.0.3
– 4.1.3
– 4.2.4
– 4.3.5
– 4.4.3
– 4.5.4
– 4.6.4
– 4.7.3
– 4.8.2
– 4.9.4
– 5.0.2
– 5.1.2
– 5.2.4
– 5.3.2
– 5.4.3
– 5.5.3
– 5.6.1
– 5.7.0
Patched versions of WooCommerce Admin
– 1.0.4
– 1.1.4
– 1.2.5
– 1.3.3
– 1.4.1
– 1.5.1
– 1.6.4
– 1.7.4
– 1.8.4
– 1.9.1
– 2.0.4
– 2.1.6
– 2.2.7
– 2.3.2
– 2.4.5
– 2.5.2
– 2.6.4

Why didn’t my website get the automatic update?

Your site may not have automatically updated for a number of reasons. A few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 4.0.0), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.

In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 4.0.3, 4.5.4, 5.5.3, etc), as listed in the table above.

How can I check if my reports were affected?

You can check your site’s reports to see:

  • Visit <your-domain>/wp-admin/options.php and search for the woocommerce_admin_report_export_status field. If it is present, it is possible that one of the report files may have been downloaded.
  • Visit <your-domain>/wp-content/uploads in a browser. If you receive a list of files, rather than a blank page, it is possible that a report file may have been made public.

Further questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.

By Allen Smith

I'm a dad who loves telling stories, connecting people, and making the world a better place.

23 replies on “Important security patch released in WooCommerce”

Thanks, Allen. Will the branch patched branch versions be available to update from within wp-admin as well? If memory serves, the last incident in July provided that option.


I will need to double-check to verify this, but I believe the patches will be pushed automatically to affected stores that haven’t explicitly disabled auto-update functionality. From within the plugins section of wp-admin on my test site, the update link appears to upgrade the store to the most recent minor version release (e.g. from 5.6.0 to 5.7.0 and not 5.6.0 to 5.6.1). If the patch fails to automatically apply on any stores you manage, however, you should be able to apply the corresponding patch manually without issue.


Hi, We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards


Howdy. This update is being pushed out similar to the update back in July. There are some situations where sites may not receive the update. For instance, if folks have explicitly disabled automatic updates, if there are filesystem permission issues, or if there are existing plugins that are preventing the update from occurring, the store wouldn’t apply the update.


We are wondering if this update will be a forced update just like in July or that this update will only be pushed to sites that have automatic plugin update enabled under the plugin section in the backend. Kind Regards


Will this be a forced update (just like last July) or just an automatic update if this is enabled for WooCommerce under the plug-in section? Thanks in advance.


Comments are closed.