The security flaw that's crucial to security is disclosed in the article"What You Need to Know to Know
Last Update: 23rd June 2021
The 13th of July 2021, a serious security vulnerability within Blocks feature-based plugins was discovered. Blocks feature-based plugins has been discovered. Block feature plugin was recognized and immediately disclosed by the security expert Josh through HackerOne. HackerOne Security software.
After learning of the problem and the issue was identified, the team performed an exhaustive review of codebases that were in this area, and then created a patch to solve the issue in each affected version (90or greater versions) which was deployed automatically to stores that were vulnerable.
If I manage a store, what should I do?
Automated software upgrades up to 5.5.1 became available on July 14, 2021. The update is now accessible to every store that runs version of the plug-in that is affected. We strongly recommend to make sure you're running the most recent version. This is 5.5.2* or the latest version which is found in the release branch. If you're also using Blocks then you're in the current version 5.5.1 of this plugin.
It's crucial important: with the release of 5.5.2 on 23rd July 2021, the auto update process previously described was stopped.
When you update to a patched version, we also recommend:
- Update the passwords of any administrator on your website, particularly when they share the same password for multiple websites
- It is the procedure of rotating Payment Gateway as well as API keys that are used by your website.
Further details regarding the steps listed below.
5.5.2 was released on July 23, 2021. 5.5.2 was released on July 23, 2021. The changes that are included in this release are not related to anything to do to the security flaw which was discovered recently.
What could I do to figure out the version of my application that is up to date?
Below is a full list of patches that are available of both Blocks and Blocks. If you're running a version of or Blocks that isn't listed in the list below, you must change to the latest version of the branch that is running in your version.
Versions that have been purified | Variations of Blocks that are tapped |
3.3.6 | 2.5.16 |
3.4.8 | 2.6.2 |
3.5.9 | 2.7.2 |
3.6.6 | 2.8.1 |
3.7.2 | 2.9.1 |
3.8.2 | 3.0.1 |
3.9.4 | 3.1.1 |
4.0.2 | 3.2.1 |
4.1.2 | 3.3.1 |
4.2.3 | 3.4.1 |
4.3.4 | 3.5.1 |
4.4.2 | 3.6.1 |
4.5.3 | 3.7.2 |
4.6.3 | 3.8.1 |
4.7.2 | 3.9.1 |
4.8.1 | 4.0.1 |
4.9.3 | 4.1.1 |
5.0.1 | 4.2.1 |
5.1.1 | 4.3.1 |
5.2.3 | 4.4.3 |
5.3.1 | 4.5.3 |
5.4.2 | 4.6.1 |
5.5.1 | 4.7.1 |
5.5.2 | 4.8.1 |
4.9.2 | |
5.0.1 | |
5.1.1 | |
5.2.1 | |
5.3.2 | |
5.4.1 | |
5.5.1 |
Why can't my site get updated by itself?
The website you're using may not be receiving auto-updates due to a variety of reasons, but a few may be due to having a website that is older than the one that's in danger (below 3.3) Automated updates can be disabled on your site. Your filesystem can only be accessed for reading. Alternatively, you may have conflicting extensions that block the updating.
Every time (except the first one in which you're not impacted) It is recommended to try by hand updating your system to the most current patched version of the branch of release (e.g. 5.5.2, 5.4.2, 5.3.1 and etc.) in accordance with the above table.
Are you aware that any of your personal information has been or stolen?
In light of the latest information available, we are believe there's a limited opportunity for exploitation.
If a store was affected through the event and the shop was affected, that's specific to the data stored by the website. It could also contain the personal details of their orders, as well as customer and other administrative details.
What can I do in order to identify if my website was compromised?
Given the nature of the vulnerability and the manner in which WordPress (and therefore ) permits web requests to be handled, there's not an definitive way of knowing the vulnerability. There is a possibility that exploit attempts will be discovered looking through your host's logs of your access (or seeking assistance from your host provider in this regard). Requests in the form below were discovered between the 19th December, and January this year. It could represent an indicator of an attempted exploit:
- REQUEST_URI matching regular expression
/\/wp-json\/wc\/store\/products\/collection-data.*%25252. */
- REQUEST_URI matching regular expression
/.*\/wc\/store\/products\/collection-data.*%25252. */
(note that this expression may not be effective or slow to process in a number of log environments) - Any non-GET (POST or PUT) request to
/wp-json/wc/store/products/collection-data
or/?rest_route=/wc/store/products/collection-data
The request we've observed via this vulnerability originate from the IP addresses listed above. The majority of them coming from the very first IP address in the list. If you see any of the IP addresses listed previously in your logs of access, you must think that this vulnerability was exploited to exploit:
137.116.119.175
162.158.78.41
103.233.135.21
Which passwords should I be able to change?
It is likely that your password is at risk since it is being hashed.
WordPress passwords for users are secured with salts. This means the resulting hash value is very difficult to crack. This method of hashing is based on salt. It makes sure that your password remains safe to use in the role of administrator also those passwords used by others on your website and clients. It is still possible that the hashed version of your password that is stored in the database could have been compromised through this vulnerability Your hash key must be inaccessible and safeguard your passwords from misuse.
It's likely that your website utilizes the normal WordPress security system for passwords which can be accessed by visitors. Based on the plugins you've added to your site you may have passwords or other data that are private stored in unsecure systems.
If you think that one or more admin users of your site might have used the same password across different websites, it is recommended to change the passwords on those accounts to ensure that the passwords for your website's users were stolen from another website.
Also, it is recommended to modify any secret or private information stored within Your WordPressor database. This could be API keys, key for public and private for payment gateways, and so on, contingent upon the specific setting of your website.
In the role of an extension designer, or service provider, should we be alerting our sellers?
If you're working with a online or retail store that you're a client of as a buyer, we suggest that you collaborate with them in order to be sure that they're aware of this issue, or upgrade your website to a more secure version.
If you've developed extensions, or are offering an SaaS service that relies on APIs, then we'd like you to aid merchants to change the API keys of their service to allow them to connect your service.
I'm the owner of a business Should I notify my customers?
The way you inform your clients about this decision is entirely the responsibility of you. Your obligations to notify clients of changes to things such as passwords could differ depending on specifics like the infrastructure of your website and the place in which you and your customers reside, what information your website is collecting as well as whether your website is hacked.
One of the key things you can take to protect your customers is upgrading your software to the latest version, with patched update in order to address the vulnerability.
After updating, we recommend:
- The passwords should be updated for all administrators on your site, particularly when you are using the same passwords across multiple websites.
- This is the process of turning off the Payment Gateway and API keys that are employed to allow access to your site.
The store's owner you decide if you want to go more in your approach, such as changing your customer's passwords. WordPress (and in turn ) the user's passwords are hashed by salts meaning that the hash value is very difficult to break. The salted hash method is employed for all the passwords stored by users on your website as well as your clients' passwords.
Do you have the ability to continue making use of it in a secure method?
Yes.
Even though such situations are rare but they are possible to occur. The goal of our team is to respond quickly and work in complete openness.
When we first learned of the problem, our team has been working all working all day long to make sure a solution is found and users are kept informed.
Constant investments in security for our platforms helps us avoid the vast majority of problems, but when we encounter certain situations that may be detrimental to our stores, we work to address them swiftly, communicate effectively, and work in tandem with our community.
If I have any concerns?
This post was originally posted on here
This post was first seen on here