On Might 28, 2024, Woo’s engineering group found a difficulty inside WooCommerce (variations 7.8 and above) that brought about the unintentional assortment of particular customer information by Automattic, Woo’s father or mother firm.
This situation solely pertained to WooCommerce shops that had information monitoring enabled and didn’t have their retailer related to Jetpack.
The particular customer information collected by Automattic included customer IP addresses, timestamps, referrers, person brokers, and several other different HTTP-specific particulars. No delicate buyer or person information, nor any fee information was collected resulting from this situation.
The collected information logs have been saved securely on Automattic’s servers. Not one of the information was externally accessed, and all information from shops with a patched WooCommerce model energetic will probably be eliminated within the subsequent few days based mostly on Automattic’s default, 14-day retention coverage.
Woo’s engineering group developed and launched a patch for WooCommerce on June 4th, 2024 that addressed the problem. Woo retailers utilizing automated updating ought to have already got the patch put in, and no additional motion must be needed.
Concerning the situation
With the discharge of WooCommerce 7.8, a change was made that brought about an exterior file (on this case, https://stats.wp.com/w.js) to be requested by the shop entrance finish if the shop additionally opted into WooCommerce utilization monitoring. When this file was unintentionally requested, particulars in regards to the request (together with the customer information talked about above) have been recorded to server request logs on servers hosted on Automattic infrastructure.
Woo’s engineering group addressed the problem by creating patched variations of WooCommerce 7.0 to eight.9. Updates have been launched as of June 4th, 2024.
You may learn extra particulars on this Developer Advisory on the Woo Developer Weblog.
How can I inform if my retailer was affected?
To find out in case your WooCommerce set up is affected by this situation, test the variations of WooCommerce you might be operating. In case your web site has any of WooCommerce variations 7.8.0 by way of 8.9.1 energetic and your retailer has monitoring enabled, you might be possible affected. In case your retailer is related to Jetpack you could nonetheless see the “https://stats.wp.com/w.js” file loading when sure options are energetic (e.g. Jetpack search).
How do I defend my retailer?
The Woo group launched a WooCommerce patch to handle the problem beginning June 4, 2024. We encourage you to make sure your retailer has the most recent patched model of WooCommerce energetic.
Newest Patched Variations of WooCommerce from 7.0 to eight.9 (obtain the most recent launch from WordPress.org)
| 8.9.2 | 8.8.4 | 8.7.1 | 8.6.2 | 8.5.3 | 8.4.1 |
| 8.3.2 | 8.2.3 | 8.1.2 | 8.0.4 | 7.9.1 | 7.8.3 |
We’re proactively speaking with Woo retailers about this replace out of an abundance of warning and as a part of our dedication to information privateness. As soon as once more, no delicate data was accessed, and all the particular customer information that was collected was briefly and securely saved on Automattic’s servers.
You probably have additional issues or questions, our group of Happiness Engineers is available to assist—please open a assist ticket.