According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials.
WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites.
“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”
However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.”
The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."