WooCommerce PayPal Object Injection

The fine people at Woo have released a security patch for WooCommerce, fixing a vulnerability in their PayPal notification system.

The vulnerability affects WooCommerce 2.0.20 – 2.3.10 when a “PayPal Identity Token” is set. It allows attackers to remotely execute code, via a known vulnerability in PHP’s unserialize function.

WooCommerce 2.3.11 contains a fix for this issue, and we strongly recommend that all users upgrade to this version as soon as possible.

We’ve released a hotfix with VaultPress 1.7.5, which protects all vulnerable versions of WooCommerce from attack. We are currently attempting to deploy this update to all VaultPress users affected by the issue. We will email site owners whose sites we are unable to update.

As always, if you have any questions, please drop us a line at vaultpress.com/contact.

This entry was posted in General, Security. Bookmark the permalink.