On Might 28, 2024, Woo’s engineering staff found a difficulty inside WooCommerce (variations 7.8 and above) that brought about the unintentional assortment of particular customer information by Automattic, Woo’s mum or dad firm.
This subject solely pertained to WooCommerce shops that had information monitoring enabled and didn’t have their retailer linked to Jetpack.
The precise customer information collected by Automattic included customer IP addresses, timestamps, referrers, person brokers, and several other different HTTP-specific particulars. No delicate buyer or person information, nor any fee information was collected as a result of this subject.
The collected information logs had been saved securely on Automattic’s servers. Not one of the information was externally accessed, and all information from shops with a patched WooCommerce model lively can be eliminated within the subsequent few days based mostly on Automattic’s default, 14-day retention coverage.
Woo’s engineering staff developed and launched a patch for WooCommerce on June 4th, 2024 that addressed the difficulty. Woo retailers utilizing automated updating ought to have already got the patch put in, and no additional motion ought to be essential.
In regards to the subject
With the discharge of WooCommerce 7.8, a change was made that brought about an exterior file (on this case, https://stats.wp.com/w.js) to be requested by the shop entrance finish if the shop additionally opted into WooCommerce utilization monitoring. When this file was unintentionally requested, particulars concerning the request (together with the customer information talked about above) had been recorded to server request logs on servers hosted on Automattic infrastructure.
Woo’s engineering staff addressed the difficulty by creating patched variations of WooCommerce 7.0 to eight.9. Updates had been launched as of June 4th, 2024.
You’ll be able to learn extra particulars on this Developer Advisory on the Woo Developer Weblog.
How can I inform if my retailer was affected?
To find out in case your WooCommerce set up is affected by this subject, verify the variations of WooCommerce you might be working. In case your website has any of WooCommerce variations 7.8.0 via 8.9.1 lively and your retailer has monitoring enabled, you might be possible affected. In case your retailer is linked to Jetpack you could nonetheless see the “https://stats.wp.com/w.js” file loading when sure options are lively (e.g. Jetpack search).
How do I defend my retailer?
The Woo staff launched a WooCommerce patch to deal with the difficulty beginning June 4, 2024. We encourage you to make sure your retailer has the most recent patched model of WooCommerce lively.
Newest Patched Variations of WooCommerce from 7.0 to eight.9 (download the latest release from WordPress.org)
| 8.9.2 | 8.8.4 | 8.7.1 | 8.6.2 | 8.5.3 | 8.4.1 |
| 8.3.2 | 8.2.3 | 8.1.2 | 8.0.4 | 7.9.1 | 7.8.3 |
We’re proactively speaking with Woo retailers about this replace out of an abundance of warning and as a part of our dedication to information privateness. As soon as once more, no delicate info was accessed, and the entire particular customer information that was collected was quickly and securely saved on Automattic’s servers.
When you’ve got additional issues or questions, our staff of Happiness Engineers is readily available to assist—please open a support ticket.
