WooCommerce SQL injection vulnerability

Yesterday Matt Barry, one of our researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository.  WooCommerce is installed on over 1 million active WordPress websites.

We immediately contacted Woo about the issue and they’ve been incredibly responsive, releasing a fix this morning with their release of WooCommerce version 2.3.6. [Internally we’re actually shocked at how fast this went out. Great team, great product!!]

We strongly recommend you immediately upgrade if you have not already.

The specific issue is an SQL injection vulnerability in the admin panel. Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement. For example, a payload of tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds.

Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.

What to do: Upgrade immediately to version 2.3.6 of WooCommerce which contains the fix.

Huge thanks to the WooThemes team for immediately addressing the issue and pushing the fix within a few HOURS of receiving the report.

Please be sure to tweet, FB or email as needed to help spread the word to your fellow WordPress site admins.

Did you enjoy this post? Share it!

Comments

14 Comments
  • Thanks!

    We keep all our client sites secured with Wordfence and Wordfence Premium -- as well as the quick response of the Wordfence team to issues like this.

    Mike

  • Thank you guys for all you do to keep Wordpress safe!

  • You really think that people can react and update their websites in 1 day?

  • Thanks for the notification, I've informed my clients to upgrade asap and consider at long last purchasing a license!

  • Thanks WordFence for security warning. There are million of WooCommerce powered website, that's this vulnerability patch is so valuable for the world.

  • I really appreciate your work guys , I am using WooCommerce on 3 of my sites and I just updated all of them.

    Thankyou Once Again.

  • I have a couple of sites on 2.1 and 2.2 versions of woocommerce and this vulnerability is not present in them, I can only presume it was introduced in 2.3.

    Note: I will upgrade those installations to 2.3 in time, just need a bit more time to perform the migration, and good to know they're not susceptible to this vulnerability in the meantime..

    • I have a site that uses woocommerce 2.1.7. As you said above, the security error should not affect this version. I am wondering if you have any follow up information on this. Or more importantly, I am trying to test to make sure that this vulnerability does not effect 2.1.7 and am wondering how you know that the vulnerability is not within the 2.1 versions.

      Thank you so much

  • Is it wise to disclose the actual vulnerable field before people have patched their sites? I suppose an attacker could do a code diff fairly easily though.

    Simon.

  • Building my store, thanks for keeping Woo safe and secure!

  • Here's the files that were changed in the bugfix: https://github.com/woothemes/woocommerce/commit/e81d2182f559f64bb822489e6992b81b91944574

    The key line is in changing:

    $tax_rate_id = $key;
    to
    $tax_rate_id = absint( $key );

    in /admin/settings/class-wc-settings-tax.php

    That class has been significantly refactored in more recently releases and it is in this refactoring that the vulnerability was introduced. At least, from all the previous installs that I've looked at!

    As for publishing the vulnerability - as woocommerce is open source it's already published via github anyway.

  • Hi

    If the specific files and lines of code are known, is it possible to inspect and reject those from even being applied, like an IPS signature ?

  • Does this plugin protect the htaccess?