The WooCommerce team announced on July 15th, 2021, that the WooCommerce (v3.3 through v5.5.0) and WooCommerce Blocks feature plugins (v2.5 through v5.5.0) were affected by a critical SQL injection vulnerability reported by HackerOne.
Currently, WordPress.org is forcing automatic updates on vulnerable sites, which is not a very common practice for addressing security issues affecting a large number of sites.
While WooCommerce merchants have the option to run the automatic update, WooCommerce merchants should make sure their stores are running the latest version (5.5.1).
In response to a critical vulnerability identified on July 13, 2021, we're working with the @WordPress Plugins Team to deploy software updates to users running #WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).— WooCommerce (@WooCommerce) July 14, 2021
If you have not updated WooCommerce or WooCommerce Blocks, you should do so immediately. Even though no signs of exploitation have been detected so far.
The WooCommerce team encourages merchants who might be vulnerable to exploitation to update their passwords after installing the patched version as a precautionary measure.
A day after this vulnerability was discovered, it was patched properly, which is great news for WooCommerce store owners.