Serious WooCommerce vulnerability threatens millions of WordPress websites

Unbreakable Lock
(Image credit: KAUST)

WooCommerce, a popular WordPress plugin for rolling out e-commerce stores, has issued an emergency patch to plug a SQL Injection vulnerability.

The vulnerability could be abused by unauthorized attackers to access arbitrary data from the database of any WooCommerce-powered online store.

Wordfence, whose cybersecurity researchers developed proof-of-concepts that exploited the vulnerability, note that the vulnerability affected not just the five millions WooCommerce users, but also the 200,000 websites that used the WooCommerce Blocks feature plugin.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” notes WooCommerce’s Head of Engineering Beau Lebens in a blog post.

Exploited in the wild?

The vulnerability was reported by Josh Ledford, founder of cybersecurity company Development Operations Security (DOS).

Wordfence notes that the critical nature of the vulnerability has led to force automatic updates to all vulnerable WordPress installations

Lebens notes that WooCommerce is still investigating the vulnerability and will report back to its community on whether data has been compromised is ongoing. The same information was repeated in the comments by various WooCommerce team members when prompted for an update by users.

According to Wordfence though, the original researcher did indicate that the vulnerability has been exploited in the wild. Wordfence too claims it has “found extremely limited evidence” of the exploit being widely used and believes that any reported incidents were perhaps highly targeted ones.

In any case, if you use WooCommerce or its Blocks plugin, make sure your installation is running the latest patched version.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.