An unauthenticated SQL Injection vulnerability affecting versions of WooCommerce on more than 5 million websites on the Internet has been disclosed to the public by Automattic.
Due to the nature of the vulnerability, the WooCommerce team is rolling out compulsory patching on minor versions — even if automatic plugin updates are disabled within WooCommerce or Pagely.
Vulnerability Details
We won’t provide specific details, but we can say that the function wc_sanitize_taxonomy_name allowed the vulnerability to happen due to the use of nested urldecode functions.
How Pagely Customers are Affected
We have directly reached out to all of our clients who are using an affected version of WooCommerce. In case you did not receive that notification, please be aware that patches are being rolled out by the software vendor directly, not by Pagely. We are monitoring for problems on our end, and will conduct periodic scanning to confirm all sites hosted by Pagely are getting the update. If we see any issues affecting your site specifically, we will reach out with a support ticket.
If you manage your codebase using Git, please make sure the patched version makes it into your repository to prevent a regression during your next deployment.
Conclusion
While very rare, vulnerabilities of this severity require proactive action to keep you protected. This is the reason why WooCommerce decided to force minor versions updates. To be clear, even if you have requested Pagely to not apply automatic updates, this update coming from the vendor directly will still occur.
We wanted you to know that we are aware about this vulnerability. Since the very moment it was made public, we have been following along and making sure our customers are aware as well. If you have any questions please do not hesitate to contact our support team.