WooCommerce SQL injection vulnerability
This entry was posted in WordPress Security on March 13, 2015 by Mark Maunder 14 Replies
Yesterday Matt Barry, one of our researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository. WooCommerce is installed on over 1 million active WordPress websites.
We immediately contacted Woo about the issue and they’ve been incredibly responsive, releasing a fix this morning with their release of WooCommerce version 2.3.6. [Internally we’re actually shocked at how fast this went out. Great team, great product!!]
We strongly recommend you immediately upgrade if you have not already.
The specific issue is an SQL injection vulnerability in the admin panel. Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement. For example, a payload of
tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds.
Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.
What to do: Upgrade immediately to version 2.3.6 of WooCommerce which contains the fix.
Huge thanks to the WooThemes team for immediately addressing the issue and pushing the fix within a few HOURS of receiving the report.
Please be sure to tweet, FB or email as needed to help spread the word to your fellow WordPress site admins.