SQL Injection Vulnerability in WooCommerce Plugins of WordPress

  • CERT Admin
  • Mon Aug 09 2021
  • Alerts

Threat Level 

HIGH  

Components Affected 

· WordPress WooCommerce Plugin version 3.3 to 5.5 

· WordPress WooCommerce Block version 2.5 to 5.5 

Overview 

A vulnerability has been identified in the WooCommerce plugin of WordPress which could allow an attacker to perform SQL injection attacks on a targeted system. 

Description 

This vulnerability exists in the WooCommerce plugin due to the improper injection of search parameters into a SQL query by a webhook search function. An attacker could exploit this vulnerability just by entering especially crafted SQL queries on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to perform SQL injections and access sensitive information on the targeted system. 

Impact 

· Expose sensitive information 

· Service disruption 

Solution/Workarounds 

Apply the relevant update as mentioned in the WooCommerce advisory 

·  https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ 

  

Reference 

· https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ 

· https://www.bleepingcomputer.com/news/security/woocommerce-fixes-vulnerability-exposing-5-million-sites-to-data-theft/ 

· https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/ 

· https://www.cert-in.org.in

Disclaimer 

The information provided herein is on an "as is" basis, without warranty of any kind.  

Last updated: Mon Aug 09 2021