On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available.
What actions should I take?
Automatic software updates began rolling out on September 21, 2021, to all stores running impacted versions of WooCommerce, but we still highly recommend you ensure that you’re using a patched version. This is 5.7.0 or the highest number possible in your release branch.
After updating to a patched version, we also recommend disabling Directory Listing on your web server, if it isn’t already. This feature displays a list of every file in the web directory when there is no index file present. You can check if this is active by visiting
<domain>/wp-content/uploads in a browser. If you’re not sure how to disable this, please contact your web host directly.
How do I know if my version is up-to-date?
The table below contains the full list of patched versions of WooCommerce and WooCommerce Admin. If you are running a version of WooCommerce that is not on this list, please update immediately to the highest version in your release branch. Once you update to any of the patched versions of WooCommerce below, WooCommerce Admin should update automatically.
Patched versions of WooCommerce
Patched versions of WooCommerce Admin
Why didn’t my website get the automatic update?
Your site may not have automatically updated for a number of reasons. A few of the most likely are: you’re running a version prior to one impacted (below WooCommerce 4.0.0), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update.
In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 4.0.3, 4.5.4, 5.5.3, etc), as listed in the table above.
How can I check if my reports were affected?
You can check your site’s reports to see:
<your-domain>/wp-admin/options.phpand search for the
woocommerce_admin_report_export_statusfield. If it is present, it is possible that one of the report files may have been downloaded.
<your-domain>/wp-content/uploadsin a browser. If you receive a list of files, rather than a blank page, it is possible that a report file may have been made public.
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.
See Our Best-selling WooCommerce Themes:
See our theme collections:
- See 10+ Best Elementor WooCommerce WordPress Themes 2021
- See 20+ Best multi-vendor marketplace WordPress themes 2021
- See 12+ Best Auto Parts Shop WordPress Themes 2021
- See 15+ Best Clothing & Fashion Shop WordPress Themes 2021
- See 20+ Best Electronics Store WooCommerce Themes 2021
- See 15+ Best Selling Furniture Store WordPress Themes 2021
- See 15+ Best Selling Organic Store WordPress Themes 2021
- See 07+ Best Grocery Store WordPress Themes 2021
- See 07+ Best Health, Medical Store WordPress Themes 2021
Our Support Help Desks:
- Documentation: Find documentation for themes and frequently asked question on our Documentation channel wpthemego.com/document
- Forum Support: Join our public WPThemeGo Community at forum.wpthemego.com to find the frequently asked questions, post your problem and get support to solve it.
- Ticket System: Submit a ticket about your problem on WPThemeGo Support at support.wpthemego.com to get help from the support team. All your information will be kept confidential.
- Email Support: Contact us via email for presale questions about our themes and other questions via email@example.com.