13 Jun WooCommerce Object Injection Vulnerability
Sucuri located an Object Injection Vulnerability within WooCommerce on June 10th. This vulnerability can allow attackers to download any file on the affected website.
The vulnerability only effects websites that have the “PayPal Identity Token” option set within WooCommerce. The vulnerability seems to be most effective when coupled with the CVE-2013-1643 PHP bug.
By the following day, June 11th, WooCommerce released version 2.3.11 which patches this vulnerability.
Although this issue only seems to affect websites using the Paypal gateway and only when the PayPal identity token is set, it is advised that you update WooCommerce immediately.