More than a week ago, we posted information about discovered in WooCommerce versions from 3.3 to 5.5. Now additional details became available, and we are ready to share them with you.
WooCommerce team provided additional information on how to understand whether your store was affected. There is no definitive way to confirm that your site was under attack. However, it is still possible to find some traces.
First of all, you need to check the access logs of your server between December 2019 and now. If you find something similar to the examples below, it is highly likely that your site was exploited:
- REQUEST_URI matching regular expression
/\/wp-json\/wc\/store\/products\/collection-data.*%25252.*/ - REQUEST_URI matching regular expression
/.*\/wc\/store\/products\/collection-data.*%25252.*/ (note that this expression is not efficient/is slow to run in most logging environments) - Any non-GET (POST or PUT) request to
/wp-json/wc/store/products/collection-dataor/?rest_route=/wc/store/products/collection-data
Also, it was noticed that most of the requests are coming from specific IP addresses:
- 137.116.119.175
- 162.158.78.41
- 103.233.135.21
And the first one made over 98% of such requests.
As mentioned in the previous article, the possibly affected information could include administrative information, customer and order data. It is unlikely that passwords were compromised if you’re using the built-in WordPress password management since they are hashed using salts, and it makes the resulting value very difficult to crack. However, additional plugins may change this behavior, so it would be wise to change your passwords and any other secret data, such as API keys, payment gateways credentials, and so on, once the security update is done.
Also, depending on your local laws, you may need to reach your customers and notify them if your store was possibly affected. But the most urgent action is to update your store to the latest version.
On the 14th of July 2021, WooCommerce started an automatic update process to all the stores using the impacted versions. It was discontinued on the 23rd of July.
It is important to check that your site was updated because it might not happen due to disabled auto-updates, read-only filesystem, potential extension conflicts, and so on. If that’s the case - make sure to update the system manually.
