Hello.
Please check
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation
—> “After this they could take full control of the website”
Full control = Full control.
They could download clients database if Woodmart is not updated.
_____
> Unfortunately, WordPress doesn’t provide a mechanism to install updates automatically for plugins and themes.
Wordpress allow to autoupdate core and plugins. WP developers made this options after situation when a lot of websites were hacked because of vulnerability in popular plugin.
Also, WP is as LEGO, you as developer, could make autoupdate for your theme, plugins ans other assets.
Why you do not want to do it?
I prefer broken website than someone could download my clients database and access admin.
Please make it optionally.
OR
send us email if something same was found.
Because it is not okay that my website was hacked and my clients database was downloaded.
I have a license and you know my email but I see NO notifications about Woodmart vulnerability and no one asked me to update it.
I just received email from MalCare AFTER my website was hacked!
