Security Incident March 24, 2023: Update Your WooCommerce Payments Plugin Now!
I received the following email Friday morning from Woocommerce, which I wanted to pass along. Security for your WordPress website should be of utmost importance, as malicious attackers can steal your data, client’s data, and/or take over your website. Do not take this lightly. Make sure you update your plugins today!
Sometimes, when updating your plugins, conflicts may arise between plugins which can affect the functionality of your website; especially, if you have many plugins installed. This is why having some technological knowledge of debugging plugins or hiring our sorcerers for your website maintenance is of utmost importance. If you choose to run updates yourself, make sure you take a backup before running the updates.
We’re reaching out to let you know that a potential security vulnerability was discovered in WooCommerce Payments. This applies to any version after 4.8.0 – learn more.
No evidence of an external breach has been detected. As soon as we discovered this vulnerability, we immediately deactivated all impacted services and patched the issue for all sites hosted on WordPress.com.
What do I need to do?
If your website is hosted on WordPress.com, your store is in the process of being updated or has already been updated to remove the vulnerability.
For users with self-hosted stores, we strongly recommend you update to the latest secure version of WooCommerce Payments as soon as possible.
From your WP Admin dashboard, click the Plugins menu item and look for WooCommerce Payments in your list of plugins.The version number should be displayed in the Description column next to the plugin name. If this number matches any of the patched versions listed below, no further action is needed.If a new version is available for download, you should see a notice guiding you to update WooCommerce Payments – please go ahead and do so.
Once you’re running a secure version, we recommend checking for unexpected admin users or posts on your site. If you find any evidence of unexpected activity, we suggest you:
Update the login passwords of any admin-level users, especially if they reuse the same password on multiple websites.Regenerate any payment gateway-specific keys (as well as any WooCommerce API keys) used on your site. To reset other keys, please consult the documentation for those specific plugins or services.
Has my data been compromised?
At this time, we have no evidence that this vulnerability was exploited. We will continue to monitor this and notify you of any new information.
We always strive for transparent and timely communication with our community. If you have any questions about this issue, please get in touch with our Happiness team.
Need help with your website updates, maintenance, security monitoring, and more? Check out our maintenance plans today.