Action Required: Critical Vulnerability
WooCommerce & WooCommerce Blocks Plugins
It's never a good thing to find an email with the subject line "Action required: Critical vulnerability" in your inbox.
Even more so when the critical vulnerability refers to the Woocommerce plugin, which is installed on over 5 million websites WordPress ecommerce websites and the WooCommerce Blocks plugin which is on over 200,000 sites.
With the possibility of sensitive data exposure the urgency of the email title was understandable.
The Woocommerce site states that on July 13, 2021, a critical vulnerability which involved the WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh Ledford from DOS (Development Operations Security), to Automattic through their HackerOne bug bounty security program.
Having learned about the issue the Woocommerce team conducted an investigation, audited all related codebases and identified vulnerabilities in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5). A patch fix was then created for every impacted version (90+ releases).
The Woocommerce team worked with the WordPress.org plugin team to automatically deploy updates in the early hours of July 15, to as many websites as possible, even if sites had updates disabled (known as a forced update).
As forced updates aren't always 100% successful, Woocommerce is advising that any sites using the plugins update their copy of WooCommerce to the highest release branch version possible. Where sites are running the WooCommerce Blocks feature plugin, Woocommerce needs to be updated to version 5.5.1.
Note: Woocommerce advise that only the latest version of WooCommerce is considered fully secure.
What Do We Know About This Vulnerability?
Security vulnerabilities are assigned a Common Vulnerabilities and Exposures score depending on the severity of the vulnerability. CVE "scores" range from 0-1 (no security issue/low) to 9-10 (critical). A CVE number has not yet been assigned however from what we know that score is likely to be in the high to critical range.
Woocommerce announced that they had released an emergency patch for a SQL Injection vulnerability which would have allowed unauthenticated attackers to access arbitrary data in an online store's database but they have yet to publish full details of the vulnerabilities.
Their blog post reads "Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information."
The NOC website is reporting that there appears to be 2 separate issues:
- an issue with how search was being handled in WooCommerce and
- an issue with how taxonomies were being handled in WooCommerce Blocks.
NOC goes onto explain that the first problem stemmed from the improper use of
They further explain that the original code used the sanitize_text_field function, which should only be used against Cross Site Scripting (XSS) that doesn't occur in HTML tag attributes, and won't fully protect against SQL Injections. This vulnerability required authentication. The update corrects the issue by turning the sanitize_text_field function into a prepared statement.
The second issue, the more serious of the two, allowed for an unauthenticated SQL vulnerability to be introduced, which would allow attackers to abuse
WordFence Reports Active Attacks
On July 15 the WordFence blog published information about seeing attack data begin to come in with attacks coming from IP addresses 220.127.116.11, 18.104.22.168 and 22.214.171.124.
WordFence also reported that they've received information regarding similar attacks dating back almost a month. They went onto say that while these older attacks lack a crucial factor that would allow the exploit to be successful, it does appear that attackers have been attempting to exploit this vulnerability for some time.
Checking Your Site
If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications.
Look for any requests to /wp-json/wc/store/products/collection-data or /?rest_route=/wc/store/products/collection-data in your log files that appear to contain SQL statements. Query strings which include %2525 are also an indicator that this vulnerability may have been exploited on your site.
If you have a maintenance plan with us your site has been updated to the latest secure versions of Woocommerce and Woocommerce Blocks.
We will update this post as more information becomes available.
#1. After updating to Woocommerce 5.5.1 some sites are reporting that they are having database issues (5.5.1 security patch causing database issues and Endless query after upgrading from 4.x to 5.4.1) when the site store has a large set of products and the WooCommerce admin feature "Analytics" is enabled. This is causing performance issues which result in never-ending MySQL queries to check for stock levels of products.
The process list of MySQL (mysql > show processlist;) fills up with a new query for each admin page load, which will look like this: SELECT SQL_CALC_FOUND_ROWS wp_posts.*, low_stock_amount_meta.meta_value AS low_stock_amount, MAX...
To temporarily resolve this issue you can use one of the following workarounds:
- install the Disable WooCommerce Bloat plugin and utilise the feature to switch off the "WooCommerce Admin".
- setup a file and add it to wp-content/mu-plugins to temporarily disable the query.
- disable WooCommerce admin dashboard and WooCommerce analytics by following the instructions on the webroom site.
#2. OOS Products Admin Performance #7358. Woocommerce believe the root cause of the database issue is twofold:
- A slow SQL query used to retrieve the products that are low in stock. This SQL has been in WooCommerce for a number of releases.
- A REST API request, which executes this SQL query, is called more frequently in WooCommerce 5.5 than in previous versions.
A combination of both these is causing the degraded server performance when updating to WooCommerce 5.5.
Woocommerce are also investigating caching the REST API request and progress can be seen in Add cache-control header to low stock response PR #7364.
#3. OOS Products Admin Performance #7358. WooCommerce Admin 2.4.2 has been released which includes a partial fix for the database issue. It seeks to reduce the frequency of requests made to the problematic REST API endpoint by using lazy loading and caching. The fix can be applied now via the WooCommerce Admin plugin.
It's expected that stores with larger amounts of products may still be impacted after this fix. In these cases, existing workarounds should still be applied.
Woocommerce are continuing to work on providing a full fix by improving the SQL query performance. Progress can be seen in Fix/7358 stock api performance improvement PR #7377.
#4. OOS Products Admin Performance #7358. WooCommerce Admin 2.4.4, which includes a full fix for this issue, has been released.
A new REST API endpoint /wc-analytics/products/low-in-stock has been added utilising a more performant query for retrieving stock levels. The behavior of the existing /wc-analytics/products/?low_in_stock=true REST API endpoint has been kept in tact, including the slow SQL query. All WooCommerce Admin usage has been updated to use the new, more performant endpoint.
Woocommerce will work on releasing this fix in the WooCommerce Core.
A full fix was released in WooCommerce Admin 2.4.4, which was bundled into WooCommerce 5.5.2. This version resolves the performance degradation issues and fixes several bugs.
Once updated, previous workarounds should be removed.