A security flaw affecting the online shopping platform WooCommerce has been patched after researchers discovered it could expose certain customer order details under specific conditions. The disclosure and patch details, disclosed in a developer advisory, impacted a wide range of WooCommerce versions used by millions of WordPress-based online stores worldwide.
The vulnerability, tracked as GHSL-2025-129, was found in the WooCommerce Store API, the system that allows storefronts, themes, and apps to securely retrieve order and checkout data.
According to WooCommerce, the flaw could have allowed logged-in customers to view order information belonging to guest customers (shoppers who checked out without creating an account). The software did not always properly restrict which orders a logged-in user was allowed to see when interacting with the Store API.
The issue affected WooCommerce versions 8.1 through 10.4.2. Stores running WooCommerce 8.0 or earlier were not impacted. WooCommerce version 10.4.3 and later include the fix.
If exploited, exposed information could have included:
- Customer names
- Email addresses and phone numbers
- Billing and shipping addresses
- Items purchased and order metadata
- The type of payment method used (for example, credit card or digital wallet)
WooCommerce emphasized that no credit card numbers or financial details could be accessed through this vulnerability.
The flaw was reported through Automattic’s bug bounty program and after receiving the report, engineers investigated whether the issue had been exploited and began developing fixes.
There is no evidence the vulnerability was abused outside of internal security testing.
Update Available
WooCommerce has released patches for all 23 affected versions and worked with the WordPress.org Plugins Team to automatically deploy updates where possible. Automatic updates began rolling out to stores that have auto-updates enabled. Stores hosted by Automattic (including WordPress.com, WordPress VIP, Pressable, and WP Cloud) were patched automatically once the fix became available.
WooCommerce advises all merchants to keep plugins updated, use strong passwords and two-factor authentication, maintain regular backups, and monitor sites for unusual behavior. Also recommended for merchants is to:
- Check their current WooCommerce version in the WordPress admin dashboard
- Update immediately if running any version from 8.1 to 10.4.2
- Confirm on patched version 10.4.3 or above
Developers, agencies, and hosting providers are also encouraged to notify clients, verify updates, and monitor for suspicious activity.
Responsibly disclosed and patched, the issue highlights how coordinated security research, regular monitoring, and timely updates help limit security risks and exposure
Leave a Reply