WooCommerce has shipped version 5.5.2 as a follow-up to the forced security update that patched a SQL Injection vulnerability last week. The vulnerability impacted versions 3.3 to 5.5 of the WooCommerce plugin, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin. The team created a patch for more than 90 releases, which was sent as a forced security update from WordPress.org, due to the potential severity of impact for millions of WooCommerce installations.
Shortly after the automatic update rolled out, many store owners started reporting serious performance issues on both WordPress.org and GitHub. Some users reported database crashes after receiving the automatic security patch in 5.5.1. One user reported a painfully slow, endless query that was “crippling to our operations,” with similar reports on GitHub of this same query “causing the entire server to go down.”
Those with a large number of products in their databases were impacted more frequently. “We run a fairly big DB – 17k products,” one user said. “This has been a nightmare.”
Store owners affected by this issue had resorted to downgrading to the previous releases at WooCommerce’s recommendation. They shared temporary workarounds to disable the query while WooCommerce investigated the issue. The problem was reported so frequently that it became a high priority for the team to fix.
A week ago, WooCommerce developer Adrian Duffell reported back that they had determined the cause was twofold:
- A slow SQL query used to retrieve the products that are low in stock. This SQL has been in WooCommerce for a number of releases.
- A REST API request, which executes this SQL query, is called more frequently in WooCommerce 5.5 than in previous versions.
A combination of these factors was causing the degraded server performance when users updated to WooCommerce 5.5. A fix was released in WooCommerce Admin 2.4.4 three days ago, and the fix was also added to core today in 5.5.2. Users who had put workarounds in place are advised to remove them after updating to the latest release.
I think the problem with security issues is there is often a ‘knee-jerk’ reaction to fixing them rather than taking the methodical approach of fixing it properly to avoid large scale problems as reported.
Whilst there are good intentions here, I think sometimes more planning needs to be made before deploying to production environments hastily.