WooCommerce announce SQL injection vulnerability
Matt Barry, a Wordfence researchers, discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository last week. WooCommerce is installed on over 1 million active WordPress websites.
Wordfence contacted Woo about the issue and they’ve been incredibly responsive, releasing a fix with the release of WooCommerce version 2.3.6.
Website Care strongly recommend you immediately upgrade your Woocommerce plugin if you have not already.
The specific issue is an SQL injection vulnerability in the admin panel. Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement. For example, a payload of
tax_rate_country[(SELECT SLEEP(10))]would cause the MySQL server to sleep for 10 seconds.
Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.
What to do: Upgrade immediately to version 2.3.6 of WooCommerce which contains the fix. Alternatively contact us at Website Care if you have any queries regarding your Woocommerce setup.
Read artice in full at WordFence.com blog.