ValidationUtils.php modified

This looks like an automatic patch by Patchman or similar software used by webhosts proactively fixing vulnerabilities. Some of my clients received a message from their host with a notification about the patch. But I’m still looking for more information.

The code above is not part of a hack and is actually protecting the site from unwanted content in these variables.

Thanks a lot for the reply, makes me feel more relaxed!
Yes I selected autmated patching on my hosting, so probably it will be this

Hi @youlikeitmobilus,

Thank you for reaching out to us. I understand your concern about the modified ValidationUtils.php file in your WooCommerce webshops. The code snippet you’ve provided appears to be a function designed to sanitize array data using the wp_kses function, which is a common security measure in WordPress to prevent malicious content. However, it’s important to verify the source of this modification to ensure it’s not a sign of unauthorized access. Since you mentioned automated patching on your hosting, it’s possible that this change was part of a security update. To confirm this, could you please check the following:

1. Review Update Logs: Check your hosting account for any recent update logs that might explain changes to WooCommerce files.
2. Compare with Official Source: Visit the WooCommerce GitHub repository and compare the ValidationUtils.php file with the version in your webshop. The official WooCommerce GitHub repository can be found at: https://github.com/woocommerce/woocommerce
3. Contact Hosting Provider: If you’re still unsure, reach out to your hosting provider to inquire about the automated patching process and whether it includes modifications to WooCommerce files.

Let us know if there’s anything else we can help you with.

The only piece of information that I could find regarding this patch was “WooCommerce] XSS in the Address and checkout schema”, but no link to a CVE or something

Apparently this added function is called nowhere in WordPress Core or WooCommerce, so I’ll contact support at the host that applied this “fix”.

I’m struggling to understand what the patch changed exactly, is it being called in any other places? the function is similar to the one that exists in SanitizationUtils.

It added the code that’s pasted in in the OP. But I can’t find any reference to that function, so it doesn’t seem to do anything.

The support rep of my webhost points back to WooCommerce, because “Patchman wouldn’t do this if unnecessary”, but refuses to have a look at the code… So I’ve asked (repeatedly) to forward my ticket to a colleague with more experience about security.

I still think this is not a security issue but a mistake of Patchman.

Are the webshops hosted on standoutmedia.dk?
I found this reference for that patch.
In the meantime, that method does not look malicious and does not directly overwrite any of the methods called in WooCommerce codebase.
I would recommend to contact your hosting provider to confirm this is actually legit.

No, it’s a different host (NL based), but that link looks like a similar report originating from Patchman, so it’s probably the same issue. In case you have a direct contact with Patchman, you could ask them directly.

Tomorrow another support rep will take over my ticket and hopefully they can contact Patchman to clear this up.

I did a full compare of the code of the entire plugin and the extra function definition is really the only code that’s added. Nothing else changed.

In the meantime, we internally checked the area that is supposedly being patched, and found no reasons for concern.

Can you please check with the security experts of WooCommerce if this is related to anything that has already been reported? Hopefully that can help to get to the core of this issue.

Hi there,
Webshops are all hosted on Combell in Belgium.
I contacted the host and they are investigating it.
I have one webshop behind a password protection thus not visible without a password…. there was no file change. Normally this had to be patched although if it is only patching related (I think)

Hi @youlikeitmobilus,

I contacted the host and they are investigating it.

Please keep us posted. Thanks!

Hi, just chipping in that I’m getting the same notices. I’m with a different host in NL.

I’ll wait for @youlikeitmobilus response first.

Hi ,

Hosting said that there is a tool Running for global patches, but can’t conform that a patch changed the file. They don’t have log files about patching.? No further help of hosting Company?sorry.

Further I noticed the following:
There was a new update of woocommerce.I updated the plugin as usual.
Two day after that I get again the message from woocommerce with concerning the modification of the same file

Yes, Patchman is the software, that executes these patches. They have modified the file. It’s definitely not malware, but I still think there’s no real risk here that need’s to be patched.

WooCommerce 8.8.2 still doesn’t have taken over this patch, so they need to examine it and decide what to do. In the meantime I hope that my host can contact Patchman to get more information about this possible vulnerability and if WooCommerce has been contacted about this, as it should.