This evening I received an urgent message from the developers at WooCommerce, titled “Action required: Critical vulnerability in WooCommerce.” It arrived just as I was going to bed. The message gave little info about the vulnerability other than to say it was urgent to update WooCommerce to the latest version (v5.5.1) of both WooCommerce and WooCommerce Blocks. The email also indicated that this vulnerability had existed (and apparently remained undiscovered) in every version of WooCommerce as far back as v3.3. The message stressed the urgency of updating immediately.
The email went on to say that their investigation of the vulnerability was ongoing. The urgent nature of their message implied this was a “zero day” vulnerability, meaning that it had just been discovered by malicious hackers and was being actively exploited on sites across the internet.
Using ManageWP for WordPress Updates
After quickly confirming that it was a genuine email from WooCommerce, I went to my home office computer, and logged in to ManageWP. ManageWP is the WordPress management console I use to check for updates and install and test new software releases across all the client websites hosted here at Oakley Studio. I knew there had been a new version of WooCommerce just a few days ago (v5.5.0) and I had been carefully installing it, and running ecommerce checkout tests on client sites that are operating WooCommerce online storefronts. I also knew that a zero day exploit was a serious matter that should be responded to as quickly as possible.
Sure enough, there was a new version of WooCommerce (v5.5.1) now available, as well as a WooCommerce Blocks (v5.5.1) update. There were 41 websites (both Staging and Live sites) that required updating. The Staging sites I could update all together; if the update failed on any of them, I could go back and see where the update failed on each. While that was underway, I initiated manual backups on the Live websites, so I would have a very recent restore point for each site if the WooCommerce update did not install properly. The Staging site updates completed successfully within just a few minutes, with no reported errors. I spot-checked a few of them just to be sure.
That left the Live sites to be updated. I performed the updates on each, one-by-one, checking for any issues following the updates.
Patched! – In Under an Hour
Within an hour of receiving that email from WooCommerce, all Oakley Studio client websites were updated and secured from this zero day exploit. I am always happy when I know I’ve done a good bit of work managing my client’s sites in a timely manner. There are many many many small business storefront websites that are going unpatched at this moment and remain vulnerable to this zero day exploit because they have no webmaster to deal with these risks as they arise. Oakley Studio clients can breathe easy knowing their webmaster is keeping a watchful eye on their sites and updating quickly when critical patches are released.
– – – – –
Update: Read the WooCommerce blog post titled “Critical Vulnerability Detected in WooCommerce on July 13, 2021 – What You Need to Know.” Their writeup and the discussion following goes into more detail about this zero day exploit.