SQL Injection vulnerabilities allow attackers to ‘piggyback’ on SQL queries, usually allowing the attacker to read, write and edit database data. Although SQL Injection vulnerabilities can sometimes be difficult to exploit manually, tools such as sqlmap make exploitation much easier.
The vulnerabilities were responsibly reported to Automattic (the developers of the plugins) through their HackerOne bug bounty program. The vulnerabilities were due to the miss-use of the sanitize_text_field WordPress function, which can help protect against Cross-Site Scripting (XSS) vulnerabilities, but should not be used to protect against SQL Injection vulnerabilities.
Automattic issued forced updates for the plugins, even if they were disabled, to ensure that their users were patched and protected. However, forced updates are never 100% effective, which could leave many websites still at risk. To ensure that you are not vulnerable ensure that you are running a patched version.
Since the vulnerabilities were announced we have seen reports of the vulnerabilities being exploited to compromise WordPress websites.
With the information available at the time of writing, the SQL Injection vulnerability within the WooCommerce plugin requires authentication, whereas the SQL Injection vulnerability within the WooCommerce Blocks plugin does not require authentication. This makes the vulnerability within the WooCommerce Blocks plugin much more serious as it does not require a high privileged user to exploit.
These vulnerabilities can be found in our WordPress vulnerability database and will be updated as further information comes to light:
To protect yourself from these vulnerabilities ensure that you are running the latest version of the plugins, a full list can be found on WooCommerce’s blog post. To be warned about these vulnerabilities in WordPress plugins and others in the future, install our WordPress security plugin.