Vulnerability could have been used to target WordPress sites
WooCommerce, a popular WordPress plugin for rolling out e-commerce stores, has issued an emergency patch to plug a SQL Injection vulnerability.
The vulnerability could be abused by unauthorized attackers to access arbitrary data from the database of any WooCommerce-powered online store.
Wordfence, whose cybersecurity researchers developed proof-of-concepts that exploited the vulnerability, note that the vulnerability affected not just the five millions WooCommerce users, but also the 200,000 websites that used the WooCommerce Blocks feature plugin.
“Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” notes WooCommerce’s Head of Engineering Beau Lebens in a blog post.
Exploited in the wild?
The vulnerability was reported by Josh Ledford, founder of cybersecurity company Development Operations Security (DOS).
Wordfence notes that the critical nature of the vulnerability has led WordPress.org to force automatic updates to all vulnerable WordPress installations.
Lebens notes that WooCommerce is still investigating the vulnerability and will report back to its community on whether data has been compromised is ongoing. The same information was repeated in the comments by various WooCommerce team members when prompted for an update by users.
According to Wordfence though, the original researcher did indicate that the vulnerability has been exploited in the wild. Wordfence too claims it has “found extremely limited evidence” of the exploit being widely used and believes that any reported incidents were perhaps highly targeted ones.
In any case, if you use WooCommerce or its Blocks plugin, make sure your installation is running the latest patched version.