WooCommerce (opens in new tab), a popular WordPress plugin (opens in new tab) for rolling out e-commerce stores (opens in new tab), has issued an emergency patch to plug a SQL (opens in new tab) Injection vulnerability.
The vulnerability could be abused by unauthorized attackers to access arbitrary data from the database of any WooCommerce-powered online store.
Wordfence, whose cybersecurity researchers developed proof-of-concepts (opens in new tab) that exploited the vulnerability, note that the vulnerability affected not just the five millions WooCommerce users, but also the 200,000 websites that used the WooCommerce Blocks feature plugin.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
>> Click here to start the survey in a new window (opens in new tab) <<
- We've built a list of the best WordPress hosting (opens in new tab) providers
- Here’s a list of the best Wordpress plugins (opens in new tab)
- And these are the best ecommerce plugins for WordPress (opens in new tab)
“Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” notes WooCommerce’s Head of Engineering Beau Lebens in a blog post (opens in new tab).
Exploited in the wild?
The vulnerability was reported by Josh Ledford, founder of cybersecurity (opens in new tab) company Development Operations Security (DOS).
Lebens notes that WooCommerce is still investigating the vulnerability and will report back to its community on whether data has been compromised is ongoing. The same information was repeated in the comments by various WooCommerce team members when prompted for an update by users.
According to Wordfence though, the original researcher did indicate that the vulnerability has been exploited in the wild. Wordfence too claims it has “found extremely limited evidence” of the exploit being widely used and believes that any reported incidents were perhaps highly targeted ones.
In any case, if you use WooCommerce or its Blocks plugin, make sure your installation is running the latest patched version.
- Also take a look at these best WordPress themes (opens in new tab)