WooCommerce shipped version 5.7.0 through a forced update for some users earlier this week. The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting configurations:
On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.
WordPress.org pushed an automatic update to affected stores beginning on September 21, for all sites that have not explicitly disabled automatic updates. The WooCommerce team created a patch for 18 versions back to 4.0.0, along with 17 patched versions of the WooCommerce Admin plugin. Those whose filesystem is set to read-only or who are running WooCommerce versions older than 4.0.0 will not have received the automatic update and should proceed to manually update their sites.
WooCommerce recommends users update to the latest version, which is now 5.7.1, or the highest number possible in your release branch. The security announcement post has detailed instructions for how store owners can check to see if their report files may have been downloaded.
More than 5 million WordPress sites use WooCommerce. At the time of publishing, 59.8% are running on version 5.4 or older. Only 12.8% are using the lates 5.7.x release. It’s not possible to see how many sites are still vulnerable, because WordPress.org only displays a breakdown for the major branches users have installed. Some site owners running older versions may still be active in applying security patches but not prepared to update to the latest release.
WooCommerce 5.7.1 was released earlier today after the team received multiple reports of broken sites following the 5.7.0 update. This release includes fixes for regressions and new bugs identified in the previous update.