I received the same automatic updates, although mine didn’t include a download link. I’d love an explanation as well. Unlike the last forced update over the summer I don’t see any mention online of security issues or anything in the changelog.
The automatic update also didn’t update to the newest version on all of my sites which is 7.6.1. Some went from 7.5.0 to 7.5.1 for example.
Thanks in advance.
We got an automatic update, too, from 7.6.0 to 7.6.1 – without a download link. It was a standard automatic update mail from WordPress core although we also didn’t have automatic updates activated for this plugin.
An explanation would be nice when a piece of software is obviously force pushed into our installation.
Greetings,
-doffine
I received an email from security@woocommere.com. Might want to subscribe to the developer mailing list on page below:
https://developer.woocommerce.com
We’re reaching out to let you know that an important security update has been released for an extension installed in your WooCommerce store: Stripe for WooCommerce (also known as WooCommerce Stripe Payment Gateway). This update corrects 32 unpatched versions (from 4.5.4 to 7.6.0). The current, most up-to-date version of the extension is 7.6.1.
This update addresses a vulnerability that could have allowed bad actors to trick authenticated users with enough permissions to change the Stripe API keys associated with their store.
We have no evidence that suggests this vulnerability was exploited. The vulnerability was originally reported via Automattic’s internal HackerOne proactive security program, and our engineering teams immediately developed this security update for you.
Hi @bedas,
Just to clarify, Our security update emails usually do not come with download links. Can you share a screenshot of the email you received with me here?
I would advise you to not download or open the file as there is a possibility that it is not from us. Also, if your Stripe plugin is not up to date, I recommend updating it to the latest version.
I hope this helps. Please let us know if you need further assistance.
Thread Starter
Beda
(@bedas)
I have had replaced the plugin manually actually to the latest (your) version right after the auto-update but, please check again that this is really not your version.
It came from the wp org. Our server admin confirmed this. So if the version doesn’t exist…. The problem is not on our server.
The version does exist. And yes, it was a security release.
When security releases happen, there is usually backporting of the fix to older versions. So 7.6 got a release to 7.6.1. However, the other versions got releases of their own, which all updated them to have the security fix.
You can find a list of the versions that were released here: https://plugins.trac.wordpress.org/changeset/2980245/woocommerce-gateway-stripe/
Thread Starter
Beda
(@bedas)
Yes, I figured it out meanwhile
@imodouglas sorry when you replied I read only your email which stated it does not exist, and I did not even re-read your reply above when I replied to you.
I can now also see https://plugins.svn.wordpress.org/woocommerce-gateway-stripe/tags/7.4.3/changelog.txt the release here, so all good.
Case closed.
An explanation would be nice when a piece of software is obviously force pushed into our installation.
@doffine
@doffine There is no such thing as a “force push” of a plugin from our systems. To understand why this is, you need to understand how the update system works.
WordPress checks for plugin updates on a roughly 12 hour basis. There are three options for when an update is available. It can not update, it can automatically update, or the default setting, which is to do whatever the server suggests.
The server response has a field called, appropriately, “autoupdate”, and that field is usually “false”. However, when there is a security update with a plugin, that plugin author can coordinate with the plugins team, and they can set it to true, for some set of circumstances. In this case, everybody who is running a version with the issue was updated to the latest release that didn’t have the issue for them. So somebody running 7.4 would have been updated to 7.4.3, instead of being updated to the latest version 7.6.1. Releases like this are made so as to minimize the impact of the security fix.
@otto42, ah thank you very much for this explanation. We didn’t detailedly know about this reasonable process so far. From our (in this case uninformed) end user’s point of view we just had got an update without having automatic updates active, without having a choice and without any additional information about this incident.
Perhaps it would be an idea for a new feature that in the rather rare case of such an automatic update the update mail to the admin should contain a little hint/sentence to explain that this special update had security reasons and therefore it was done automatically after being reviewed by the plugins team.
Greetings and thank you very much for your work,
-doffine
@doffine Generally, security releases like this are rare.
However, actually explaining this to the user requires more than one or two sentences. There’s a lot of background information to know here. And you can’t encapsulate that information into a short text in a random email, and if you try to make it even longer then it gets ignored, or worse, marked as spam.
Balancing security with privacy is tricky, but communicating that information with the end user is way trickier.
