A researcher has discovered a Critical SQL-injection vulnerability in WooCommerce, an open-source e-commerce plugin for WordPress. WooCommerce promptly provided an emergency patch for the plugin to fix the issue.
WooCommerce is one of the leading e-commerce platforms for WordPress and runs more that 5 million websites. In addition, the WooCommerce Blocks plugin is installed over 200,000 websites.
The vulnerability was discovered by researcher Josh Ledford of Development Operations Security (DOS), who responsibly disclosed the vulnerability to WooCommerce.
“Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” Beau Lebens of WooCommerce wrote in an advisory.
Although the researcher also warned of active exploits in the wild, the Wordfence Threat Intelligence team said they “found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.”
The vulnerability impacts versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin versions.
WooCommerce administrators are encouraged to upgrade to the latest versions of WooCommerce and WooCommerce Blocks (5.5.1) as soon as possible.