Malcare sent me
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation

I’m afraid that hacker downloaded all orders and clients details (emails,phone,addresses,names,etc)…

But I did not receive notifications about this issue from WoodMart and cannot update it automatically.

It is not first vulnerable and I think it is not good practice to update theme manually,
I prefer to broke website after autoupdate than someone could hack and download clients details.