Critical SQL Injection Vulnerability Patched in WooCommerce

Critical SQL Injection Vulnerability Patched in WooCommerce

Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security)

On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh from DOS (Development Operations Security), based in Richmond Virginia. This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch. We released an additional firewall rule to cover a separate variant of the same attack the next day, on July 15, 2021.

Sites still running the free version of Wordfence will receive the same protection after 30 days, on August 13 and August 14, 2021.

We strongly recommend updating to a patched version of WooCommerce immediately if you have not been updated automatically, as this will provide the best possible protection.

The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin.

WooCommerce Responded Immediately

In the announcement by WooCommerce, Beau Lebens, the Head of Engineering for WooCommerce stated, “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.”

Due to the critical nature of the vulnerability, the WordPress.org team is pushing forced automatic updates to vulnerable WordPress installations using these plugins. Store owners using older versions can update to the latest version in their branch. For example, if your storefront is using WooCommerce version 5.3, you can update to version 5.3.1 to minimize the risk of compatibility issues. Within the security announcement from WooCommerce, there is a table detailing the 90 patched versions of WooCommerce. Additionally, WooCommerce has a helpful guide for WooCommerce updates.

Has This Been Exploited in the Wild?

While the original researcher has indicated that this vulnerability has been exploited in the wild, Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.

 

If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications.

Look for any requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files that appear to contain SQL statements. Query strings which include %2525 are also an indicator that this vulnerability may have been exploited on your site.

Update: We’re starting to see attack data trickle in. So far, all of the attacks are coming from just a few IP addresses:

107.173.148.66
84.17.37.76
122.161.49.71

Additionally, it appears that UNION-based SQL injection may be possible with this vulnerability, meaning that an attacker could retrieve information from the database much more quickly than is possible with blind injection.

We’re receiving reports of similar attacks dating back almost a month. While the older attacks we’ve been made aware of lack a crucial factor that would allow the exploit to be successful, it does appear that attackers have been attempting to exploit this vulnerability for some time.

Improving Security of the WordPress Ecosystem

Sites with e-Commerce functionality are a high-value target for many attackers, so it is critical that vulnerabilities in e-Commerce platforms are addressed promptly to minimize the potential damage that can be caused. With the growth of both WordPress and WooCommerce, more security researchers have turned attention to WordPress related products. The rapid and deep response that the WooCommerce team performed in protecting WooCommerce users is a great sign for the ongoing security of e-Commerce in the open source WordPress ecosystem.

Did you enjoy this post? Share it!

Comments

15 Comments
  • Hey,

    Could you guys please update this. The reporter of this was Josh from DOS (Development Operations Security) based in Richmond Virginia. I helped Josh through the reporting process of this vulnerability since this was his first time dealing with things like this and we work together. And the credit belongs to him. If you guys need any additional information feelf ree to reach out to me via email.

    thanks in advance

    • Hi Tommy,

      Thanks for letting us know! We've updated the article as requested.

      -Ram

      • Thanks for the very prompt reply and fix! I just wanted to make sure he was credit'd and it was known I just helped him and he deserved the credit

  • With apologies for this non-tech person's ignorance on this... I'm the license holder on a group's WordFence account but am NOT the tech person who now wants to know what log files are referenced in the comment "a review of your log files may show indications." Would you be kind enough to tell this non-tech person what to tell the tech person about what log file(s)... Thanks.

    • Hi,

      Generally speaking you should be able to ask your tech person to check on your site's access logs (apache or nginx, they'll likely know what is meant by this) and they'll be able to search through them for the text that we've highlighted. Better yet, point them at this article! An attacker would have to send a lot of attacks against your site to get data from it, so if you only see a few attempts you're probably safe, but if there's hundreds or thousands of similar entries that are close together it might indicate a successful attempt.

      • Thank you SO much.

      • This is almost accurate. There is a single line they can send to dump the admin username, email and password hash (that would then need to be cracked) which would not fill up the logs. I would look for any calls to this end point from the access.log or access_log files in the web server log directory then check and see if any contain SQL statements.

        • Ah thanks, I'll update this. I was only able to get boolean/time-based blind injection working.

  • Note that I'm seeing evidence of this being exploited in logs as far back as a month ago.

    • Hi Mark,

      We've gotten a few reports to this effect. So far the older attempts we've seen lack a crucial factor that would allow the exploit to work but it does indicate that attackers were aware that a vulnerability likely existed at that endpoint for at least that long, which is troubling. We've updated the article accordingly.

    • I show two instances of this each on two of our websites on June 30.

  • Given the severity of this issue, Wordfence should be including the firewall protection for free users without the 30 day wait. What you're doing here is poor form.

    • Jason we have over 4 million happy users using our free plugin who get 90% of the features and capabilities of the paid plugin. We're happy to continue providing that product for free, and continuing to volunteer our time in the WordPress.org forums to support our free community. But comments like these make it awkward and make me feel like we should go paid only. It's kind of funny how companies who are paid only don't have to deal with this, while companies that provide a free service, but are not 100% free, are put under pressure to give away more. We have to actually pay the 39 amazing people in our team, and they won't accept high-fives from enthusiastic freeloaders. They are the ones who produce the threat intelligence you're suggesting we give away free.

  • Our websites had automatically updated to the latest version of WooCommerce before I had even seen notification from Wordfence or WooCommerce.

    A key advantages of auto update.

    • Auto-update is, indeed, a lifesaver. Although it's a double-edged sword with Woo. So many of the major updates cause issues, that it's almost become normal to wait for the X.X.1 release to make sure the bugs have been cleared out.