Wordfence notified about WooCommerce 8.4 vulnerability, but 8.5 isn’t out yet.

Sí, en efecto, también alertamos mismo aviso. “WooCommerce <= 8.4.0 – Scripts entre sitios reflejados” que la versión Versión parcheada es la 8.5.0. la cuá aún no está disponible y llama la atención.

WooCommerce <= 8.4.0 – Reflected Cross-Site Scripting

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce/woocommerce-840-reflected-cross-site-scripting

There’s a bug in 8.5.0 so they stopped further downloads

Please note: this release contains a known issue that may cause fatal errors if the Marketplace feature is disabled. Learn more about this issue and workarounds.

We have rolled back the stable tag to version 8.4.0. This temporary measure is to halt further updates to version 8.5.0 until we implement a necessary fix. As a result, the option to update to 8.5.0 will not be available during this period.

We will make an announcement once the fix is released.

https://developer.woo.com/2024/01/09/woocommerce-8-5-0-released/

You can download it on Github.

https://github.com/woocommerce/woocommerce/releases/tag/8.5.0

@tufty Thanks for explaining! And what to do with the website meanwhile? Is there a way to keep it down or in maintenance mode until the 8.5 is released?

My WooCommerce sites have also been notified of this security vulnerability. WooCommerce needs to issue 8.4.1 to fix the bug asap. WooCommerce has over 5 million active installations, all of which are vulnerable!

Hi @bbtr as I understand this, it is not a vulnerability that affects the security of your site. Instead this is something a third party can use your resources for to execute something bad from a weblink that they present to the victim.

https://portswigger.net/web-security/cross-site-scripting/reflected

This is expressed in the severity score of 6.1, ie. medium, not critical. So suspending your site pending the fix would probably not be proportionate. And in any case it appears from the Woocommerce note that simply activating the Woocommerce marketplace before installing 8.5 would avoid the bug.

Personally, I’ll wait for the fix. If it was really serious I’m sure they would have it out by now.

just install it from github as mentioned by @ambri
ive installed it on 6 sites this morning

• This reply was modified 1 year, 1 month ago by e2zanti.

Why would you install 8.5.0 on six sites knowing it has a security vulnerability? 8.4 is the one that should be installed until they release 8.5.1 on Monday that fixes 8.5.0?

It was a false-positive. This vulnerability was already fixed in 8.4.0 (about 5 weeks ago). Correct details can be found here: https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-3-0-reflected-cross-site-scripting-vulnerability

@e2zanti I’d rather wait for it to be officially re-released. As mentioned above 8.5 was released and then taken down, probably there is a reason it isn’t back yet. Better safe than sorry! ?? I just hope we won’t have to wait longer than Monday.

@tufty Yeah, I understand 8.4 isn’t doing anything malicious on its own. Thanks again for providing all the info, I found it very helpful!

Thanks everyone who replied! I appreciate it! Have a great Sunday!

Hi @bbtr,

I completely understand why you’d prefer to wait for WooCommerce 8.5 to be re-released!

I’d rather wait for it to be officially re-released. As mentioned above 8.5 was released and then taken down, probably there is a reason it isn’t back yet. Better safe than sorry! ?? I just hope we won’t have to wait longer than Monday.

This particular vulnerability has been fixed in version 8.4 of WooCommerce a few weeks ago. That is confirmed by the text here:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce/woocommerce-840-reflected-cross-site-scripting

IMPORTANT: There was a miscommunication and error in this vulnerability record where we initially reported version 8.5.0 as patched, while 8.4.0 was still vulnerable. This issue was patched in version 8.4.0 and only affects versions up to 8.3.0. Please rest assured knowing you can update the plugin to version 8.4.0 and this issue will be patched.

I can also confirm from the WooCommerce side that this issue has indeed been addressed in WooCommerce 8.4.0.

WooCommerce 8.5.0 has been released and then retracted due to an unrelated issue. It will likely be re-released early next week, however, there’s no rush to update since version 8.4.0 is secure.

I hope this helps!

Hola @bbtr este tema ha sido completamente abordado aquí: https://www.ads-software.com/support/topic/cross-site-scripting-vulnerability-on-v8-4-by-wordfence/#post-17341710

Saludos

Hi!

Full topic in the following link: https://www.ads-software.com/support/topic/cross-site-scripting-vulnerability-on-v8-4-by-wordfence/#post-17341710

Greetings

So yeah, 8.5.0 killed off half off my site. Empty carts, users cannot log into their accounts, admin cannot access stats or inbox. I really regret having clicked on upgrade plugin, but I’m happy to know 8.5 is hugely buggy and I’m not the only one affected. I hope they fix this soon, otherwise I’m forced to set up a new VPS with Woo 8.4.