Right this moment Woo’s engineering group deployed an necessary replace for WooCommerce. The replace addresses a vulnerability that might enable dangerous actors to inject malicious content material within the browser. The Woo group has additionally contacted WooCommerce retailers whose shops could also be susceptible.
This situation was restricted to WooCommerce shops working the following WooCommerce variations that additionally had Order Attribute enabled, a characteristic that’s enabled by default in WooCommerce:
| 8.8.0 | 8.8.1 | 8.8.2 | 8.8.3 |
| 8.8.4 | 8.9.0 | 8.9.1 | 8.9.2 |
In case you are working WooCommerce 8.8.0 or later, we strongly advocate updating as quickly as doable.
Actions it’s best to take to make sure your retailer is up to date
In the event you don’t have the proper model put in already, you’ll have to replace it manually.
To replace the extension:
- Log in to your retailer’s WP Admin dashboard and navigate to Plugins.
- Find WooCommerce in your checklist of put in plugins and extensions. It’s best to see an alert stating, “There’s a new model of WooCommerce accessible.”
- Click on the replace now hyperlink displayed on this alert to replace to model 8.9.3.
In case you are unable to replace WooCommerce instantly, it’s best to disable Order Attribution. This vulnerability is simply exploitable if Order Attribution is enabled.
You possibly can learn extra concerning the replace on this Woo Developer Advisory, together with methods to examine your retailer’s model standing.
What’s the vulnerability?
This vulnerability might enable for cross-site scripting, a sort of assault wherein a foul actor manipulates a hyperlink to incorporate malicious content material (by way of code resembling JavaScript) on a web page. This might have an effect on anybody who clicks on the hyperlink, together with a buyer, the service provider, or a retailer admin.
Has my retailer’s information been compromised?
We’re not conscious of any exploits of this vulnerability. The difficulty was initially discovered via Automattic’s proactive safety analysis program with HackerOne. Our assist groups have acquired no studies of it being exploited and our engineering group analyses didn’t reveal it had been exploited.
I exploit a model of WooCommerce older than 8.8.0; is my retailer impacted?
The vulnerability impacts any WooCommerce Store working WooCommerce 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.9.0, 8.9.1, 8.9.2, particularly if the shop has Order Attribution enabled (that is enabled by default). In case you are utilizing an earlier steady, up to date model of WooCommerce, your retailer shouldn’t be affected.
How do I do know if my retailer is secure?
In case your retailer is working the newest, patched model of WooCommerce (8.9.3), it’s secure.
What else can I do to maintain my retailer safe?
We all the time encourage retailers to keep up excessive safety requirements. This contains using robust passwords, two-factor authentication, cautious monitoring of transactions, and utilizing the most recent, safe model of WooCommerce (and some other extensions or plugins put in in your website). Read more about security best practices.
When you’ve got additional issues or questions, our group of Happiness Engineers is readily available to assist — please open a support ticket.
Particular Thanks
We’re grateful for the assistance of safety researcher ecaron, who labored with us to uncover this vulnerability as a part of Automattic’s HackerOne Bounty Program.
![How to Create a Cancellation Policy for Small Business [Templates + Examples] [Templates + Examples]](https://blog.theautomationking.com/wp-content/uploads/2025/04/Screenshot-2025-04-08-at-9.28.17 AM-120x86.jpg)
