WooCommerce PayPal Object Injection

The fine people at Woo have released a security patch for WooCommerce, fixing a vulnerability in their PayPal notification system.

The vulnerability affects WooCommerce 2.0.20 – 2.3.10 when a “PayPal Identity Token” is set. It allows attackers to remotely execute code, via a known vulnerability in PHP’s unserialize function.

WooCommerce 2.3.11 contains a fix for this issue, and we strongly recommend that all users upgrade to this version as soon as possible.

We’ve released a hotfix with VaultPress 1.7.5, which protects all vulnerable versions of WooCommerce from attack. We are currently attempting to deploy this update to all VaultPress users affected by the issue. We will email site owners whose sites we are unable to update.

As always, if you have any questions, please drop us a line at vaultpress.com/contact.

This entry was posted in General, Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s