Last year we were alerted to a security issue (thanks to David Anderson) that would potentially allow users with specific capabilities (and, by default, this would include the Shop Manager role) to view user data for all users. This has the possibility of exposing sensitive information. Generally, and within WooCommerce, the information stored as user metadata is not sensitive, however it is possible for other plugins to store sensitive data should they elect to. We are not aware of any cases in which this would pose a risk in WooCommerce on its own.
We identified the issue and released a fix in version 7.0.1. However, this patch did not make its way into 7.2 so the vulnerability was re-introduced with that version and has been present up until now.
We have deployed a fix for the vulnerability in version 8.1.1 that is now available.
These vulnerabilities were identified as part of our ongoing HackerOne responsible disclosure program. At this time, we have no evidence of the vulnerability being exploited in the wild.
What do I need to do?
Update your WooCommerce version to the latest version (8.1.1) as soon as possible.
Is WooCommerce still safe to use?
Yes. While identifying new vulnerabilities is difficult, we work hard to do so proactively by partnering with HackerOne researchers to continually improve the safety of WooCommerce. Of course, finding vulnerabilities is just the first step.
Afterward, we work to track and patch any vulnerabilities as quickly as possible. And we strive to keep our merchants and customers updated on a proactive basis about the continual steps we are taking to improve the platform.
I have other questions. If anyone has further concerns or questions regarding the patches, our team of Happiness Engineers is on hand to help — please open a support ticket.