Store API Vulnerability Patched in WooCommerce 5.4+ – What You Need To Know

A serious security vulnerability has been discovered and patched in WooCommerce, affecting a significant number of store versions currently running across the web. If your store is running WooCommerce and you have not confirmed your version recently, this is the moment to do so. The flaw is now fixed, but understanding what happened — and what may have been at risk — matters both for your peace of mind and for your obligations under UK data protection law.

A critical phishing vulnerability was discovered in WooCommerce versions 5.4 through to 10.5.2, exploitable via Cross-Site Request Forgery (CSRF). In plain terms, this type of attack tricks an authenticated user — such as a logged-in administrator — into unknowingly triggering an action on your site. If successfully exploited, an attacker could have created a new admin account and gained full control of your store. That is not a minor inconvenience. Full administrative access means an attacker could view, export, or manipulate virtually everything on your site.

The scale of the patch operation gives a sense of how widespread the exposure could have been: 52 affected versions of WooCommerce required patches, covering version ranges from 5.4.0 through to 10.5.2. That is a broad range, and it means many stores will have been running a vulnerable version without any visible warning signs.

What Data Was at Risk — and What Was Not

This is where I want to be precise, because the distinction matters when you are assessing your exposure or communicating with customers. If the vulnerability had been exploited, it could have exposed full admin access including customer order information such as names, email addresses, phone numbers, shipping and billing addresses, types of payment methods used, items purchased, and associated metadata. No passwords, credit card numbers, or other financial details would have been exposed.

That final point is significant. Payment card data in a properly configured WooCommerce store is handled by your payment processor — Stripe, PayPal, or whichever gateway you use — not stored on your WordPress installation. So whilst the exposure of order and contact data would still represent a serious data breach under UK GDPR, the specific risk of financial fraud from payment card theft was not present here.

The order data that could have been accessed — names, addresses, purchase history — is nonetheless personally identifiable information. Under UK data protection law, exposure of that data without lawful basis carries real consequences, including the potential obligation to notify the Information Commissioner’s Office and affected individuals. This is not a technicality to brush past.

There is also some genuinely reassuring news on the exploitation front. The vulnerability was reported through Automattic’s bug bounty program, and at the time of disclosure there was no evidence of it being used or exploited outside of Automattic’s own security testing programme. That means this was discovered responsibly, patched before it became widely known, and — as far as the evidence shows — not used maliciously in the wild.

What You Should Do Right Now

If your store is hosted on Automattic’s infrastructure, you may already be protected without needing to act. As of 14:00 UTC on 2 March 2026, the update was being automatically rolled out to stores opted in to auto updates, and all WooCommerce stores hosted by Automattic — including on WordPress.com, WordPress VIP, Pressable, or via WP Cloud — were automatically updated or patched once the patch was released. If you are on one of those platforms, log in and confirm the update has been applied, but the heavy lifting will likely have been done for you.

For everyone else — particularly those on self-managed hosting or third-party managed WordPress providers — you need to verify your WooCommerce version manually. Here is how:

1. Log in to your WordPress dashboard.
2. Go to Plugins > Installed Plugins.
3. Find WooCommerce in the list and check the version number shown beneath it.
4. If you see a version between 5.4.0 and 10.5.2, apply the available update immediately.
5. Confirm the update has completed and the version now shown reflects the patched release.

If you are unsure whether your current version is affected, or if your store has a complex plugin environment where updates require testing before deployment, get in touch and I can assess your situation directly.

This incident is a timely reminder of something I say to every business owner I work with: regularly updating WordPress, WooCommerce, and all installed plugins is one of the most reliable ways to maintain a secure online store, because updates consistently include security patches that address vulnerabilities. Delaying updates — whether out of caution about compatibility or simply because it slips down the priority list — creates an expanding window of exposure. The longer a known vulnerability sits unpatched on a live store, the greater the risk.

Running a WooCommerce store is running a business that handles personal data. The security of that data is not purely a technical matter — it is a commercial and legal responsibility. Keeping your software current is one of the most straightforward ways to honour that responsibility, and it costs far less than managing the aftermath of a breach.

If you want a proper review of your store’s security posture — not just a version check, but a structured look at how your site is configured and maintained — reach out to me at The WordPress Guy and we can take it from there.