vasantib

Looks like the vulnerability was caught afterall!
Just received this email:

Action required: Critical vulnerability in WooCommerce
Inbox

WooCommerce <[email protected]> Unsubscribe
4:38 PM 
to me

HERE'S WHAT TO DO TO SECURE YOUR STORE /
WooCommerce logo.
Hi there,

We’re reaching out to let you know that a critical vulnerability was identified in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).

What actions should I take with my store?
Stores hosted on WordPress.com and WordPress VIP have already been secured. We are working with the www.remarpro.com Plugin Team to automatically update as many stores as possible to secure versions of WooCommerce. We also urge you, however, to take the following added precautions to safeguard your site:

Update your copy of WooCommerce to the latest version (5.5.1) or the highest number possible in your release branch.
If you are running the WooCommerce Blocks feature plugin, you’ll need to update it to the latest version (5.5.1).
What does this mean for my store?
Our investigation into this vulnerability is ongoing, but we wanted to let you know now about the importance of updating immediately.

We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

What can I expect from WooCommerce in the future?
Our intention is always to respond immediately and operate with complete transparency. Since we discovered this vulnerability yesterday, the WooCommerce team has worked around the clock to investigate the issue, audit all related codebases, and release a patch for every impacted version (90+ releases).

If you have any other questions, we're here to help – reply to this email.

WooCommerce cart logo avatar.
Thanks for reading,
The Woo Team

This is not a marketing email. You're receiving this communication because you use (or have used) WooCommerce and WooCommerce Blocks.

No longer wish to receive emails around this subject? Update your profile or unsubscribe.

Please note: If you unsubscribe, you will continue to receive WooCommerce.com account-related emails.

View an online version of this email.

WooCommerce, Inc. is located at 60 29th St #343,
San Francisco, CA 94110, U.S.A.

Facebook icon.		Instagram icon.		Twitter icon.
App Store button.		Google Play button.
? 2021 WooCommerce, Inc. – an Automattic company

Automattic logo.

Hi Abhi,
Sorry for a late reply!
By “taking over my site” I meant that when you went to my site https://www.signatureconcoctions.com, within a few seconds the malware sites with a popup message would replace my website in the browser and you couldn’t go back or do anything other than close the browser window.

But when I deactivated the WooCommerce Plugin, the malware sites did not appear.

I just double checked and it looks like the WooCommerce Payments plugin had an update this morning. I updated the plugin and reactivated it. It seems to be working fine now! So there was definitely an issue with that one plugin as identified by the sitelock team.

I’ll make this issue as resolved now, especially since the plugin update from this morning seems to have fixed it.

Thank you for your time!

Hi Mirko,
Thanks so much for your quick response and also for double checking everything on my site. Could it be that because I have deactivated the WooCommerce Payments plugin on the backend that the Sucuri scan didn’t find the malware? Just curious?
I tested on my end by deactivating all WooCommerce plugins and the reactivating them all and the malware site showed up but then when I deactivated only the Woocommerce Payments plugin, the malware site did not take over my website.
Kindly lmk your thoughts.

Thanks!

I had received the following email about the same topic. I just called their tech support team, who tested it for me and completed the upgrade process. My website has been running fine.:

PHP, the web programming language, has several different versions and we will be phasing out PHP version 5.2 in the near future as it has been unsupported by its creators for several years now, along with PHP 5.3. You are receiving this email because your account was found to be using php version 5.2/5.3.

If you’re not certain of your sites compatibility with PHP 5.4, you can quickly and easily test it by changing your account to PHP 5.4 single using the outlined steps below. If, after changing your PHP version to 5.4 and your site looks normal and operates without any errors then your site is compatible. If you update to PHP 5.4 and you find your site showing errors or a blank white screen that is a good sign that something in your site is not compatible. Most commonly these are plug-ins or themes that need to be updated. Switch the PHP version back to 5.2 or 5.3 and login to your admin panel and check for any available updates. If none are available you will need to check with the plug-ins/theme developer to see if they have compatibility with PHP 5.4.

It is strongly encouraged you check yours sites plug-ins/themes/3rd party scripts for any updates in the next 7 days to avoid any downtime or issues with this process.

If you do not then your account will be automatically upgraded to 5.4 along with any extensions you have chosen to include in your current 5.2/5.3 configuration.

You can upgrade PHP by:
1. Navigate to your cPanel
2. Go to the Category Software/Services
3. Click on PHP Config
4. Scroll down and select any of the PHP 5.4 options and save

We also have 2 great guides that explain the difference between all the PHP versions.
https://my.bluehost.com/cgi/help/447
https://my.bluehost.com/cgi/help/551

Bluehost Support
https://www.bluehost.com
For support go to https://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Samboll, You’re a genius!
I added the code and it fixed not only the problem with the add/edit pages but also took away the errors that some of the plugins were giving. I didn’t think the plugin errors could have been related, otherwise I would have mentioned those as well in my original query ??

HORRIBLE PLUGIN!

This plugin did not let me add any post groups. I had the same problem as above. In addition, it caused some more seriuos problems with the way my posts appear on my website.

I installed this plugin today along with some other plugins and it completely messed up my Home page and all my custom pages. It also interfered with the “Recent Posts” widget and disabled all the settings of the widgets and “Reading” settings of wordpress too!!But I did not realize that it was this plugin that may have caused the problem. I thought it was the other plaugin I tried along with this one – Different Posts Per Page, but that one’s an awesome plugin.

I do not recommend this plugin to any one.

I got the same “fatal” error and found that multiple copies of the wordpress-271.zip were saved in my wp-contents folder (additional numbers were added before the extension) everytime I tried to automatically upgrade.

At this point, I decided not to upgrade. I am not sure if its a bug with version 2.7.1 or if auto upgrade plugin is not designed to handle newer versions.

Any ideas/suggestions?