WooCommerce has recently rolled out a security patch update against a critical vulnerability being actively exploited in the wild without any authentication. This was first brought to developers' notice after Josh; a bug hunter reported this through an active bounty program of Automattic on HackerOne. In an official post yesterday, the popular WordPress plugin mentioned the severity of the vulnerability, which has also affected the WooCommerce Blocks plugin for showing products on posts and pages. The company has notified all the site admins via email regarding the vulnerability. It is also directed to immediately update its existing version of the plugin by installing the patched version in order to avoid getting further affected as the vulnerability targets more than 90 versions starting with 5.5.0.
According to Wordfence, a popular endpoint firewall for WordPress security has detected "minimal evidence" of hacking attempts, indicating that attackers are highly targeted.
While the patched update to version 5.5.1 against the affected versions (WooCommerce 3.3 through 5.5 and WooCommerce Blocks 2.5 through 5.5) covers both the plugins and has yet to receive a tracking number. Still, its severity score has been calculated at 8.2 out of 10 by Patchstack. This company protects WordPress sites from plugin vulnerabilities.
Oliver Sild, the CEO of Patchstack, brings some additional technical insights about this vulnerability after noting that the patch eliminates the flaw by modifying two PHP files that allowed injecting malicious code in SQL statements avoiding authentication. He further mentioned that the injection was only possible because of “a webhook search function that injected the search parameter into a SQL query without using a prepared statement.” Although sanitizetextfield and esc_like functions were in use, the second one without a prepared statement could be used as no longer applicable in version 5.5.1.
Security researchers affirmed it was most likely due to the improper escape of the $attributes parameter in a public-facing endpoint that doesn't require authentication.
“The $attributes parameter in this endpoint (line 86) is taken from the user input and then processed and injected into a SQL query that was not properly escaped,” Sild says.
Moreover, upon further clarification, the researchers mentioned that “the only sanitization against this parameter was the sanitizetitle function (through wcsanitizetaxonomyname). However, this does not provide sufficient protection.”
WordPress.com has already received the patched version, and the same goes for WordPress.org, which has been automatically receiving the patch through Plugin Team.
If this SQL injection flaw is leveraged, attackers can possess a significant amount of details, including store-related information, administrative details, and data about orders and customers. Even though Parchstack hasn't noticed any attempts of exploration however this may seem too far-fetched, especially when these security patches gradually reach more sites.
According to the new data, the researchers saw that attacks originated from four IP addresses:
Further, the attacks in number can be expected to increase when an exploit becomes more comprehensive (proof-of-concept code already exists, but access is limited).