WooCommerce WordPress Plugin
This is a Public Service Announcement, it does not mean you are affected. It is being shared to help bring awareness to the vulnerability and help make the web a safer place by distributing important security advisories. If you do use this plugin or know someone that uses it, please help spread the word.
Security Risk: Dangerous
Exploitation Level: Easy / Remote
DREAD Score: 8/10
Vulnerability: Object Injection
Patched Version: 2.3.11
During a routine audit of our Website Firewall, our Vulnerability Research team found and disclosed a critical severity vulnerability in the WordPress WooCommerce plugin. The vulnerability has been patched and if you are using the plugin we encourage you to update at your earliest convenience.
The security issue was patched in version 2.3.11”
-Source: Sucuri Security Team
Update Now – Here is the direct link to the WooThemes WooCommerce Free Download v2.3.11
Change Log For this WooThemes WooCommerce Plugin updated
2.3.11 – 10/06/2015
Fix – Check if rating is enabled before check if rating is required to a review.
Fix – get_discounted_price needs to check if taxes are enabled.
Fix – Fixed filetype check for digital downloads.
Fix – Newfoundland and Labrador state rename.
Fix – Escaped js in widget layered nav when use the dropdown option.
Fix – Switch the permissions check for json_search_products to use the read_product capability.
Fix – Fixed the addition of variable products using the Order API.
Fix – Sale item exclusion logic for variations.
Fix – Clear correct variation stock transients when setting stock.
Fix – Switch to JSON to avoid unserializing untrusted data when handling responses from PayPal.
Fix – API – Fixed the sanitization for downloadable files on products endpoint.
Tweak – woocommerce_downloadable_file_exists filter.