Update now! per Naked Security
https://nakedsecurity.sophos.com/2018/11/09/update-now-wordpress-sites-vulnerable-to-woocommerce-plugin-flaw/

WooCommerce is a beast. I believe the distro is bigger than the WP base distro. No surprise that it brings security concerns with it.

You wouldn't give anyone but staff a shop manager account anyway as the role does have a lot of power, too much for what is required, if using staff that arnt trusted then a custom role is needed.

I saw that and declined to write about it for SEJ. It's not really a hole that an outsider can slip through and wreak havoc.

What IS kind of scary is that 25% of WP sites have outdated and unpatched versions of PHP. This probably affects a similar number of sites running magento and other CMS'.

In December, another 57% of WP sites will be running EOL legacy versions of PHP that will not receive further security patches or support of any kind.

https://www.searchenginejournal.com/wordpress-php/277067/

Quote from: martinibuster on November 15, 2018, 12:35:25 AM
In December, another 57% of WP sites will be running EOL legacy versions of PHP that will not receive further security patches or support of any kind.

A lot, but probably not nearly 57%. A large number of these are on shared hosting and some of these hosts will run outdated versions until right up before they are required to move off them, in an effort to give clients as much time as possible. I think a significant number of those hosts wil turn off 5.6 and 7.0 as the deadline approaches.

Obviously, a lot won't. Some never will. PHP4 EOL was in 2008, and yet there are still 0.7% of PHP websites running on PHP4. That's insane
https://w3techs.com/technologies/details/pl-php/all/all

Yes in recent months I have been on a few shared servers to upgrade the php for performance reasons and they were all set to default at 5.6.