Serious WooCommerce vulnerability threatens millions of WordPress websites

Vulnerability could have been used to target WordPress sites

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

WooCommerce, a popularWordPress pluginfor rolling oute-commerce stores, has issued an emergency patch to plug aSQLInjection vulnerability.

The vulnerability could be abused by unauthorized attackers to access arbitrary data from the database of any WooCommerce-powered online store.

Wordfence, whose cybersecurity researchersdeveloped proof-of-conceptsthat exploited the vulnerability, note that the vulnerability affected not just the five millions WooCommerce users, but also the 200,000 websites that used the WooCommerce Blocks feature plugin.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

“Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” notes WooCommerce’s Head of Engineering Beau Lebens ina blog post.

Exploited in the wild?

The vulnerability was reported by Josh Ledford, founder ofcybersecuritycompany Development Operations Security (DOS).

Wordfence notes that the critical nature of the vulnerability has ledWordPress.orgto force automatic updates to all vulnerableWordPress installations.

Lebens notes that WooCommerce is still investigating the vulnerability and will report back to its community on whether data has been compromised is ongoing. The same information was repeated in the comments by various WooCommerce team members when prompted for an update by users.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

According to Wordfence though, the original researcher did indicate that the vulnerability has been exploited in the wild. Wordfence too claims it has “found extremely limited evidence” of the exploit being widely used and believes that any reported incidents were perhaps highly targeted ones.

In any case, if you use WooCommerce or its Blocks plugin, make sure your installation is running the latest patched version.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind