Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

WooCommerce SQL injection vulnerability

This entry was posted in WordPress Security on March 13, 2015 by mark   14 Replies

Yesterday Matt Barry, one of our researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository.  WooCommerce is installed on over 1 million active WordPress websites.

We immediately contacted Woo about the issue and they’ve been incredibly responsive, releasing a fix this morning with their release of WooCommerce version 2.3.6. [Internally we’re actually shocked at how fast this went out. Great team, great product!!]

We strongly recommend you immediately upgrade if you have not already.

The specific issue is an SQL injection vulnerability in the admin panel. Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement. For example, a payload of tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds.

Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.

What to do: Upgrade immediately to version 2.3.6 of WooCommerce which contains the fix.

Huge thanks to the WooThemes team for immediately addressing the issue and pushing the fix within a few HOURS of receiving the report.

Please be sure to tweet, FB or email as needed to help spread the word to your fellow WordPress site admins.

Did you enjoy this post? Share it!

14 Comments on "WooCommerce SQL injection vulnerability"

Michael Potter March 13, 2015 at 12:07 pm • Reply

Thanks!

We keep all our client sites secured with Wordfence and Wordfence Premium -- as well as the quick response of the Wordfence team to issues like this.

Mike

Roni March 13, 2015 at 12:43 pm • Reply

Thank you guys for all you do to keep Wordpress safe!

Thomas March 13, 2015 at 2:17 pm • Reply

You really think that people can react and update their websites in 1 day?

Dan Fry March 13, 2015 at 4:30 pm • Reply

Thanks for the notification, I've informed my clients to upgrade asap and consider at long last purchasing a license!

Lucky Bhumkar March 14, 2015 at 12:34 am • Reply

Thanks WordFence for security warning. There are million of WooCommerce powered website, that's this vulnerability patch is so valuable for the world.

Developers League March 14, 2015 at 8:22 am • Reply

I really appreciate your work guys , I am using WooCommerce on 3 of my sites and I just updated all of them.

Thankyou Once Again.

John Hobson March 14, 2015 at 11:46 am • Reply

I have a couple of sites on 2.1 and 2.2 versions of woocommerce and this vulnerability is not present in them, I can only presume it was introduced in 2.3.

Note: I will upgrade those installations to 2.3 in time, just need a bit more time to perform the migration, and good to know they're not susceptible to this vulnerability in the meantime..

Erik March 25, 2015 at 3:29 pm • Reply

I have a site that uses woocommerce 2.1.7. As you said above, the security error should not affect this version. I am wondering if you have any follow up information on this. Or more importantly, I am trying to test to make sure that this vulnerability does not effect 2.1.7 and am wondering how you know that the vulnerability is not within the 2.1 versions.

Thank you so much

Simon East March 15, 2015 at 3:24 pm • Reply

Is it wise to disclose the actual vulnerable field before people have patched their sites? I suppose an attacker could do a code diff fairly easily though.

Simon.

Zombie Social Club March 17, 2015 at 4:07 pm • Reply

Building my store, thanks for keeping Woo safe and secure!

John Hobson April 7, 2015 at 1:24 am • Reply

Here's the files that were changed in the bugfix: https://github.com/woothemes/woocommerce/commit/e81d2182f559f64bb822489e6992b81b91944574

The key line is in changing:

$tax_rate_id = $key;
to
$tax_rate_id = absint( $key );

in /admin/settings/class-wc-settings-tax.php

That class has been significantly refactored in more recently releases and it is in this refactoring that the vulnerability was introduced. At least, from all the previous installs that I've looked at!

As for publishing the vulnerability - as woocommerce is open source it's already published via github anyway.

Roy April 9, 2015 at 5:10 am • Reply

Hi

If the specific files and lines of code are known, is it possible to inspect and reject those from even being applied, like an IPS signature ?

Fraser November 13, 2015 at 5:20 am • Reply

Does this plugin protect the htaccess?

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.