A Critical vulnerability is discovered in What You Need to Know
Last Update: 23rd July 2021
On the 13th July 2021, a critical security flaw in Blocks feature plugin was discovered. block feature plugin was found and appropriately disclosed through security analyst Josh through HackerOne. HackerOne security program.
Upon learning about the issue the team conducted a thorough investigation, reviewed all the codebases in that area, and developed a patch to address the issue for every impacted version (90or more versions) which was deployed automatically to stores that were vulnerable.
I have a store - what actions should I take?
Automated software updates up to 5.5.1 were released on July 14 2021. This update is available to all stores running impacted versions of each plugin However, we highly suggest that you make sure you're using the latest version. For , this is 5.5.2* or the most recent version that you can find in the release branch. If you're also running Blocks, you should be making use of the latest version 5.5.1 of this plugin.
It is important Important: As of the release of 5.5.2 on the 23rd of July 2021, auto update procedure previously mentioned has been stopped.
After updating to a patched version we also recommend:
- Updating the passwords for any administrators on your site particularly if they use the same password on different websites
- The process of rotating any Payment Gateway and API keys that are used by your site.
More details about the steps listed below.
* 5.5.2 was made available on July 23 in 2021. The updates in this version do not have anything to do with the security flaw that was recently discovered.
How do I know if my software is current?
The table below provides the complete list of patches for versions for both and Blocks. If you are running a version of or Blocks that's not listed included in the list below, then upgrade immediately to the latest version in your release branch.
Versions that have been purged | Versions of the Patched Blocks |
3.3.6 | 2.5.16 |
3.4.8 | 2.6.2 |
3.5.9 | 2.7.2 |
3.6.6 | 2.8.1 |
3.7.2 | 2.9.1 |
3.8.2 | 3.0.1 |
3.9.4 | 3.1.1 |
4.0.2 | 3.2.1 |
4.1.2 | 3.3.1 |
4.2.3 | 3.4.1 |
4.3.4 | 3.5.1 |
4.4.2 | 3.6.1 |
4.5.3 | 3.7.2 |
4.6.3 | 3.8.1 |
4.7.2 | 3.9.1 |
4.8.1 | 4.0.1 |
4.9.3 | 4.1.1 |
5.0.1 | 4.2.1 |
5.1.1 | 4.3.1 |
5.2.3 | 4.4.3 |
5.3.1 | 4.5.3 |
5.4.2 | 4.6.1 |
5.5.1 | 4.7.1 |
5.5.2 | 4.8.1 |
4.9.2 | |
5.0.1 | |
5.1.1 | |
5.2.1 | |
5.3.2 | |
5.4.1 | |
5.5.1 |
Why didn't my website get the update automatically?
Your website may not have automatic updates due to a variety of reasons, a few that are most likely that you're using a version that was prior to the one affected (below 3.3) The automated updates are explicitly disabled on your site, your filesystem is only accessible to read, or you have possibly conflicting extensions that prevent the updating.
In all instances (except the initial example in which you're not affected) You should try manually updating to the latest patched version of your branch of release (e.g. 5.5.2, 5.4.2, 5.3.1 and so on) according to the table above.
Has any data been compromised?
Based on the latest available information, we are of the opinion that there was a limited scope for exploit.
If a store was affected, the exposed information is specific to the data that this site keeping, but it could also include orders or customer information, as well as administrative data.
How can I check if my store was exploited?
Due to the nature of this vulnerability, and the extremely fluid way WordPress (and therefore ) permits web requests to be handled, there's no definitive way of confirming that there is an exploit. There is a possibility that you can spot exploit attempts looking through your host's logs of access (or soliciting help from your hosting provider for this). Requests that follow the following formats were discovered between December 19, 2019 and January of this year could be a sign of an attempted exploit:
- REQUEST_URI matching regular expression
/\/wp-json\/wc\/store\/products\/collection-data.*%25252. */
- REQUEST_URI matching regular expression
/.*\/wc\/store\/products\/collection-data.*%25252. */
(note that this expression may not be efficient or is slow to run in most logging environments) - Any non-GET (POST or PUT) request to
/wp-json/wc/store/products/collection-data
or/?rest_route=/wc/store/products/collection-data
The requests we've seen using this vulnerability are coming from these IP addresses. More than 98% of them coming from the first in the list. If you see any or all of the IP addresses listed above within your logs of access You should conclude that this vulnerability has been used to exploit:
137.116.119.175
162.158.78.41
103.233.135.21
Which passwords do I need to alter?
It's unlikely that your password was compromised as it is hashed.
WordPress passwords of users are hashed by using salts. This means the resulting hash value is extremely hard to crack. This salt-based hash technique secures your password for use as administrator user and as well as the passwords of others on your site as well as clients. While it is possible the hashed version of your password that is stored in your database might have been accessed through this flaw but the hash number should remain hidden and protect your passwords from misuse.
This assumes that your site utilizes the default WordPress password management system for users. Based on the plugins that you've installed on your site you might have passwords and other information that is sensitive stored in less secure methods.
If you suspect that any administrator users of your website might have reused the same passwords across multiple websites, it is recommended to change those passwords in case the credentials of your users have been stolen elsewhere.
It is also recommended to change any private or secret data stored in your WordPressor database. It could include API keys, public/private keys for payment gateways, and much more, depending upon the specific configuration of your store.
As an extension developer or a service provider, do we be alerting our sellers?
If you work with any online store or retailer and you are a customer, we recommend that you work with them to make sure that they're aware of the problem, or to update your store to a secured version.
If you've created an extension, or provide an SaaS service that relies on APIs, we encourage you to aid merchants to reset their keys to connect to your services.
As the owner of a business Should I inform my customers?
How you notify your customers of this is the decision of you. Your obligations to notify clients or change things such as passwords may differ based on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting as well as whether your site has been compromised.
The most important action you can do to safeguard your customers is to update your software to a version that is patched with an update to fix the vulnerability.
After updating, we recommend:
- The passwords should be updated for all administrators on your website particularly if you use the same passwords for multiple websites
- The process of rotating the Payment Gateway and API keys used on your website.
As the store owner it you decide if you want to take additional steps like resetting your customers' passwords. WordPress (and consequently ) user passwords are hashed using salts, which means the resulting hash value is extremely difficult to break. This salted hash approach is used for all user passwords on your site, including your customers' passwords.
Are you still able to use it safely?
Yes.
Such incidents are rare however, they can occur. We aim to respond immediately and operate without obscurity.
Since learning of the vulnerability, the team has worked all hours of the day to make sure that a solution has been implemented, and our users are being kept informed.
Our continued investment in the security of platforms helps us avoid the vast majority of issues but, for the few cases that could potentially impact stores, we aim to fix quickly, communicate effectively, and collaborate in conjunction with our Community.