by | 24 Aug 2015

New WooCommerce vulnerability, are you concerned?

A dangerous vulnerability has been discovered this Wednesday, June 10 in the WooCommerce plugin. This vulnerability allows any attacker to exploit the breach to create and download files on vulnerable servers. Discover in this article if you are affected by this vulnerability and how to protect your WooCommerce platform against cyber attacks.

WooCommerce, a new vulnerability in the WordPress plugin

To remind, WooCommerce is a free plugin that turns any WordPress installation into a true eCommerce platform with advanced features (sales and product management, payment system via PayPal, sales statistics, inventory management …). The WooCommerce plugin quickly became popular and is currently used on more than 690,000 websites (WooCommerce Usage Statistics, BuiltWith) to manage their eCommerce platform.

Due to its popularity, the WooCommerce plugin is one of the favorite targets of hackers. The previous WooCommerce vulnerability goes back to only three months with a SQL injection. These attacks allow hackers to change and deface the content of your eCommerce platform, steal the customer database. Your responsibility is engaged and the financial impact on your revenue can be catastrophic.

Today, one in two small businesses affected by a cyber-attack disappears within 6 months. No one is immune to cyberattacks and SMEs with a strong eCommerce activity are even more exposed.

Am I affected by this WooCommerce vulnerability?

The WooCommerce affected versions are the versions 2.0.20 up to the 2.3.10 versions. The vulnerability has been identified as critical by Sucuri with the high score of 8/10. This vulnerability should not be taken lightly.

The issue only appears if you enabled the “Paypal Identity Token” option. This option can be configured from your WordPress dashboard, by clicking on the “WooCommerce’s Settings” tab and then “Checkout”. Then you have to go to the advanced options to access the field “Paypal Identity Token” that generates the vulnerability.


If you are using the “Paypal Identity Token” field, your whole eCommerce platform is vulnerable: the vulnerability allows hackers to access your entire database. Note that a substantial majority of WooCommerce websites are using Paypal and are potentially vulnerable.

How to protect your WooCommerce platform against cyber attacks?

Since this vulnerability has been identified, WooCommerce has released a patch in its new Version 2.3.11 which can be downloaded directly on the market official site of WordPress, or can be upgraded via the administration panel plugins of your WordPress installation.


For an advanced security, or if you are unable to update your WooCommerce plugin, it is better to use a cybersecurity solution. This vulnerability is critical and must be treated as such. Be sure to take every precaution to protect your website and your WooCommerce platform.

OZON understands the importance of the WooCommerce plugin for eCommerce platform owners and has developed the right solution for you. Within minutes your WooCommerce platform is protected against sophisticated web attacks and frauds. The OZON cybersecurity solution is active 24/7 and offers a full range of tools: it can detect vulnerabilities, block cyberattacks and prevent fraudulent transactions in real time.

And finally, OZON does not require advanced technical skills for its implementation or administration. Its deployment is transparent and requires no installation.