A critical WooCommerce Store API vulnerability has been discovered affecting versions 5.4 through 10.5.2. This security flaw, if exploited, could allow attackers to gain full administrative control over your WordPress site.
For owners of digital economies, this WooCommerce Store API vulnerability doesn’t just threaten your products; it puts your myCred points, user balances, and gamification data at risk.
Immediate action is required to secure your e-commerce store and the integrity of your rewards program.
What is WooCommerce Store API Vulnerability
The reported WooCommerce Store API vulnerability is a Cross-Site Request Forgery (CSRF) flaw. It was identified through Automattic’s bug bounty program.
How it works:
An attacker tricks a logged-in administrator into clicking a malicious link. Under specific browser conditions (such as using non-Chrome browsers or older versions), this triggers unauthorized actions.
These actions include creating new admin accounts or modifying site content without the owner’s knowledge.
While there is currently no evidence of this WooCommerce Store API vulnerability being exploited in the wild, the potential for “full site control” makes this a high-priority security update.
The Good News
The vulnerability was reported responsibly through Automattic’s bug bounty program. Currently, there is no evidence of this vulnerability being actively exploited in the wild outside of official security testing.
Why this WooCommerce Security Update Matters for myCred Users
If you use myCred to manage loyalty reward points, digital wallets, or tiered rewards, your site’s security is critical. A compromised admin account via this WooCommerce Store API vulnerability could allow an attacker to:
- Manipulate user point balances and logs.
- Access sensitive customer metadata tied to myCred hooks.
- Devalue your digital currency by creating fraudulent transactions.
Securing your WooCommerce installation is the first step in ensuring your myCred gamification remains fair and secure for your community.
How to Fix the WooCommerce Store API Vulnerability
To resolve the WooCommerce Store API vulnerability, you must update your plugin to a patched version immediately.
For all other users, follow these steps immediately:
- Check your WooCommerce version: Go to your WordPress Admin dashboard 🡪 Plugins (or Dashboard > Updates).
- Locate WooCommerce: Check the version number displayed in the Description column.
- Take Action:
- If you are running WooCommerce 5.3 or earlier: You are not affected.
- If you are running WooCommerce 10.5.3: You are fully updated and no further action is necessary.
- If you are running WooCommerce 5.4 to 10.5.2: You must update to the corresponding patched version immediately.
(Note: There are 52 patched versions in total. If you are on any version between 5.4 and 10.5.2, check for an available update in your dashboard.)
Full List of Patched WooCommerce Versions
Find your current major/minor version branch below. Make sure you are updated to the corresponding Patched Version on the right to secure your store from WooCommerce Store API vulnerability.
| Unpatched Versions (Update Immediately) | Patched Version (Secure) |
|---|---|
| 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4 | 5.4.5 |
| 5.5.0 to 5.5.4 | 5.5.5 |
| 5.6.0 to 5.6.2 | 5.6.3 |
| 5.7.0 to 5.7.2 | 5.7.3 |
| 5.8.0, 5.8.1 | 5.8.2 |
| 5.9.0, 5.9.1 | 5.9.2 |
| 6.0.0, 6.0.1 | 6.0.2 |
| 6.1.0 to 6.1.2 | 6.1.3 |
| 6.2.0 to 6.2.2 | 6.2.3 |
| 6.3.0, 6.3.1 | 6.3.2 |
| 6.4.0, 6.4.1 | 6.4.2 |
| 6.5.0, 6.5.1 | 6.5.2 |
| 6.6.0, 6.6.1 | 6.6.2 |
| 6.7.0 | 6.7.1 |
| 6.8.0 to 6.8.2 | 6.8.3 |
| 6.9.0 to 6.9.4 | 6.9.5 |
| 7.0.0, 7.0.1 | 7.0.2 |
| 7.1.0, 7.1.1 | 7.1.2 |
| 7.2.0 to 7.2.3 | 7.2.4 |
| 7.3.0 | 7.3.1 |
| 7.4.0, 7.4.1 | 7.4.2 |
| 7.5.0, 7.5.1 | 7.5.2 |
| 7.6.0, 7.6.1 | 7.6.2 |
| 7.7.0 to 7.7.2 | 7.7.3 |
| 7.8.0 to 7.8.3 | 7.8.4 |
| 7.9.0, 7.9.1 | 7.9.2 |
| 8.0.0 to 8.0.4 | 8.0.5 |
| 8.1.0 to 8.1.3 | 8.1.4 |
| 8.2.0 to 8.2.4 | 8.2.5 |
| 8.3.0 to 8.3.3 | 8.3.4 |
| 8.4.0 to 8.4.2 | 8.4.3 |
| 8.5.0 to 8.5.4 | 8.5.5 |
| 8.6.0 to 8.6.3 | 8.6.4 |
| 8.7.0 to 8.7.2 | 8.7.3 |
| 8.8.0 to 8.8.6 | 8.8.7 |
| 8.9.0 to 8.9.4 | 8.9.5 |
| 9.0.0 to 9.0.3 | 9.0.4 |
| 9.1.0 to 9.1.5 | 9.1.6 |
| 9.2.0 to 9.2.4 | 9.2.5 |
| 9.3.0 to 9.3.5 | 9.3.6 |
| 9.4.0 to 9.4.4 | 9.4.5 |
| 9.5.0 to 9.5.3 | 9.5.4 |
| 9.6.0 to 9.6.3 | 9.6.4 |
| 9.7.0 to 9.7.2 | 9.7.3 |
| 9.8.0 to 9.8.6 | 9.8.7 |
| 9.9.0 to 9.9.6 | 9.9.7 |
| 10.0.0 to 10.0.5 | 10.0.6 |
| 10.1.0 to 10.1.3 | 10.1.4 |
| 10.2.0 to 10.2.3 | 10.2.4 |
| 10.3.0 to 10.3.7 | 10.3.8 |
| 10.4.0 to 10.4.3 | 10.4.4 |
| 10.5.0 to 10.5.2 | 10.5.3 |
Best Practices to Prevent Future CSRF Attacks
Beyond patching the WooCommerce Store API vulnerability, we recommend the following security hygiene for all myCred and WooCommerce store owners:
- Use Separate Browser Profiles: Only access your WordPress Admin through a dedicated, clean browser profile.
- Verify All Links: Never click on links in unsolicited emails or “support” messages while logged in as an admin.
- Enable 2FA: Use Two-Factor Authentication to prevent unauthorized account access even if a password is compromised.
- Monitor myCred Logs: Regularly check your myCred point logs for unusual spikes in point creation or manual adjustments.
Last Word
The WooCommerce Store API vulnerability is a serious reminder that e-commerce security is an ongoing process. By updating to WooCommerce 10.5.3 (or your branch’s specific patch), you protect your customer data and the hard-earned points of your myCred users.
Need help securing your myCred store? Contact our support team today.