A dangerous “Object Injection” vulnerability has been discovered in the WooCommerce plugin, which could allow an attacker to download any file on the vulnerable server. Attackers potentially downloading critical files which can result in a full site compromise.
If your WooCommerce “PayPal Identity Token” is set, you are most at risk.
Update Immediately
If you are using a version lower than 2.3.11, update the plugin as soon as possible. Remember to back up your site before updating your WordPress and Plugins. For a worry-free backup service, subscribe to Doteasy Auto Site Backup for just $1.50/month. For more info about this vulnerability, please read this article from Sucuri.