Forums

WP Tavern Forums Discussions WooCommerce Changelog Leaves Out Mention of “Critical” Security Issue Fix

WooCommerce Changelog Leaves Out Mention of “Critical” Security Issue Fix

  • Author
    Posts
    • #149875
      Plugin VulnerabilitiesPlugin Vulnerabilities
      October 5, 2023 at 4:05 PM

      The latest version of WooCommerce re-fixed a vulnerability, which has been described by the developer as a “critical” issue. Unfortunately, the developer, Automattic, has barely disclosed that. The changelog lists it this way:

      Fix – Do not send user meta data back in woocommerce_get_customer_details response. #40221

      With other security fixes in the past, instead of “Fix” the line starts “Security”. The developer was much clearer on their developer blog, where the relevant blog post is titled WooCommerce Vulnerability Reintroduced from 7.0.1. As the title of the post suggests, this is the second time this was addressed.

      We were the ones that found that it had been reintroduced and notified Automattic’s security team. After Automattic’s own security provider, WPScan, recently published information on it, but said it was fixed.

      The first time this was fixed, it was also not disclosed as a security fix in the changelog either, but mentioned as security fix on the developer blog.

      Trying to create requirements around disclosing vulnerabilities in WordPress plugins seems like it could be rather contentious, but requiring developers to mention security fixes in the changelog if they are disclosing it elsewhere seems less controversial. Thoughts?

  • Author
    Posts
  • You must be logged in to reply to this topic.

These comments are powered by bbPress which uses Akismet to reduce spam. Learn how your comment data is handled.

Recent Replies

Recent Topics