Vulnerability patched in several WooCommerce Extensions for payment processing

What you need to know

Update: This post was updated June 15, 2023 to add all updated, backported versions of the WooCommerce Stripe Gateway.

On April 16, 2023, a vulnerability was discovered in the WooCommerce Stripe extension. Once the issue was reported, our team prioritized fixing affected versions. While addressing the issue, we identified the need for additional changes and decided to ship all fixes simultaneously to avoid tipping off potential attackers. As of May 31, 2023, we began deploying patches for each extension. If your store is hosted on WordPress.com, these extensions have already been updated. The extensions and versions we have patched include:

These vulnerabilities were identified by white-hat researcher and tester Rafie Muhammad as part of our ongoing HackerOne responsible disclosure program. At this time, we have no evidence of the vulnerability being exploited in the wild.

The extensions listed above have been updated, and we have now communicated to all impacted users. If exploited in a certain way, these vulnerabilities would have allowed unauthorized users to access limited, non-payment-related information about unpaid guest orders or possibly allowed for the creation of falsified shop transactions.

Why can’t you share this information as soon as a vulnerability is discovered?

From the original date of the reporting of the vulnerability, we needed time to adequately research the severity and scope and to understand how the issue impacted other extensions. Although there was a very small chance someone could discover the vulnerability, we considered the likelihood extremely low.

We prioritized developing a series of patches and a plan for auto-updating and offering those patches directly to merchants with as little impact to their shop operations as possible. We use this more limited approach of communicating directly with merchants because it’s generally more effective, results in quicker updating, and it also reduces the chances of the vulnerability being exploited. Broader communications issued at the very early stages of a patch roll-out could increase the risk of bad actors trying to exploit the vulnerability. 

The patches and updates were rolled out as of May 31, 2023, and we were able to notify all affected merchants. Because many Woo shops are self-hosted, we cannot always communicate directly with every merchant. To that end, we want to provide this information to ensure all users of these extensions have a chance to perform these updates. 

I have one or more of these extensions listed above installed. What actions should I take?

If your website is hosted on WordPress.com, your store has already been updated to remove the vulnerability.

If your store is not hosted on WordPress.com, we strongly recommend that you ensure you’re using the latest, secure version of the following extensions:

For WooCommerce Stripe Gateway

  • From your site’s WP Admin dashboard, click the Plugins menu item and look for WooCommerce Stripe Gateway in your list of plugins.
  • The version number should be displayed in the Description column next to the plugin name. If your version is 7.4.1 or higher, no further action is needed.

  • If your version is lower than 7.4.1, you may see a notice guiding you to update WooCommerce Stripe Gateway — please go ahead and do so.
  • If your listed version is between 5.5.0 and 7.3.0, you need to manually update WooCommerce Stripe Gateway to one of these fixed versions:
7.3.17.2.17.1.1
7.0.36.9.16.8.1
6.7.16.6.16.5.2
6.4.46.3.16.2.1
6.1.16.0.15.9.1
5.8.25.7.15.6.3
5.5.1

For WooCommerce Payments

  • The version numbers should be displayed in the Description column next to the plugin name. If your version of WooCommerce Payments is 5.9.1, no further action is needed.
  • If your version is lower than 5.9.1, you may see a notice guiding you to update WooCommerce Payments — please go ahead and do so.
  • If your version is between 3.2.0 and 4.1.1, you need to manually update WooCommerce Payments to one of these fixed versions:
5.9.15.8.25.7.1
5.6.35.5.35.4.2
5.3.25.2.35.1.4
5.0.54.9.24.8.3
4.7.34.6.14.5.2
4.4.24.3.24.3.2

For WooCommerce Subscriptions

  • The version numbers should be displayed in the Description column next to the plugin name. If your version of WooCommerce Subscriptions is 5.1.3, no further action is needed.
  • If your version is between 2.1.0 and 5.1.2, you may see a notice guiding you to update WooCommerce Subscriptions — please go ahead and do so.

Where to download or access updated extensions

Has my data been compromised?

At this time, we have no evidence that this vulnerability was exploited. We are continuing to monitor and will notify customers of any new information.

I’m a service provider, developer, or agency. Should I alert my WooCommerce merchants?

We encourage anyone who supports or develops for other WooCommerce merchants to share this information and to make sure that their clients who have WooCommerce Stripe, WooCommerce Payments, or WooCommerce Subscriptions installed are using the most updated versions. 

I’m a merchant. Do I need to contact my customers?

We do not believe any store or customer data was compromised due to these newly identified vulnerabilities that we patched. If we have any reason to think this is not the case, we will contact you via email directly.

Is WooCommerce still safe to use?

Yes. While identifying new vulnerabilities is difficult, we work hard to do so proactively by partnering with HackerOne researchers to continually improve the safety of WooCommerce. Of course, finding vulnerabilities is just the first step.  

Afterward, we work to track and patch any vulnerabilities as quickly as possible. And we strive to keep our merchants and customers updated on a proactive basis about the continual steps we are taking to improve the platform.

I have other questions. If anyone has further concerns or questions regarding the patches, our team of Happiness Engineers is on hand to help — please open a support ticket.

Leave a Reply

Your email address will not be published. Required fields are marked *