We have recently discovered a vulnerability in the WooCommerce Beta Tester Plugin that allows an attacker to execute arbitrary queries if they have the Shop Manager or Administrator roles. Since this requires a privilege escalation, the severity of the vulnerability is greatly reduced. However, due to non-compliance with the WordPress Plugin Guidelines, we have decided to remove the plugin from WordPress.org.
Removing The Plugin
The WooCommerce Beta Tester Plugin provides a user interface for testing pre-release and past versions of WooCommerce. Despite its useful features, including the ability to test branches from GitHub (not available in the WordPress.org release), the plugin is no longer compliant with the WordPress Plugin Guidelines and will not be updated on WordPress.org going forward.
The plugin is not widely used and is not intended for use on production sites. Therefore, maintaining a separate, compliant version of the plugin does not make sense. However, we will continue to maintain the plugin on GitHub and release updates there.
What actions do I need to take?
If you are currently using the WooCommerce Beta Tester Plugin you should remove it from your WordPress sites. To do this, go to your WordPress dashboard, navigate to ‘Plugins’, find ‘WooCommerce Beta Tester Plugin’, and click ‘Deactivate’. Once deactivated, you will have the option to ‘Delete’ the plugin. Please ensure to backup your site before making these changes.
For those that are interested in continuing to use this plugin you can download it from woo.com where you will be able to receive the latest updates. This version contains the latest features and a fix for this security vulnerability. You will also continue to have the ability to test the latest pre-release versions of WooCommerce using the download link in each announcement blog post.
We advise all users to regularly update their plugins to ensure they’re protected from potential security issues. Your security is our priority and we appreciate your prompt attention to this matter.