Just received this from WooCommerce:
Hello,
We’re reaching out to let you know that a security vulnerability identified in WooCommerce has been patched. If your store runs WooCommerce version 8.1 or newer, we recommend updating to the latest version, WooCommerce 10.4.3, as soon as possible. At this time, we have no indication that this vulnerability has been exploited.
If your store has automatic updates enabled, or if your store is hosted by Automattic (via WordPress.com, Pressable, WordPress VIP, or with any host using WP Cloud), the patch should already be applied. You can check your version by following the steps below.
What you should do
While there is no indication that this vulnerability has been exploited, you should update WooCommerce to the latest patched version,10.4.3, as soon as possible. You can do this by:
- Going to Dashboard → Updates in your WordPress admin.
- Select WooCommerce.
- If your current version of WooCommerce is 10.4.3, no further action is necessary.
- If you are not using version 10.4.3, or if you see “Update now,” please click on that link to get the latest version.
What happened
A security researcher recently reported a vulnerability in WooCommerce’s Store API that could allow logged-in customers to view order details belonging to guest customers (those who checked out without creating an account). As soon as we became aware of the issue, our team developed and deployed patches for all affected versions.
Our investigation confirmed that this vulnerability:
- Required a user to access a very specific API endpoint, and would not be discoverable without prior knowledge of the exploit.
- Could only make information visible from guest customer orders.
- Required a user to have a registered store account and be logged into the store.
- Has existed for approximately two years with no known exploitation.
What information may have been involved?
If exploited, the vulnerability could have exposed guest customer order information, including names, email addresses, phone numbers, shipping and billing addresses, types of payment methods used, and items purchased. No credit card or other financial details would have been exposed.
Upon discovering the vulnerability, the Woo team immediately developed patches for all 23 affected WooCommerce versions (8.1 through 10.4.2) and carried out testing to ensure the patches would resolve the issue without disrupting store functionality.
If you have any questions or concerns, simply respond to this email or click here, and someone from the Woo Happiness team will get back to you.
Thank you,
The Woo Team
