WooCommerce SQL Injection Vulnerability
Researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit. The good folks at WooCommerce have already released version 2.3.6 with the fix.
Warning - Technical Details
The specific issue is an SQL injection vulnerability in the admin panel. Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement. For example, a payload of
tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds.
Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited, but it does mean that a hacker could gain access to your SQL database and information.
Do You Need to Take Action?
All Seamróg managed ecommerce clients running WooCommerce have already been updated and tested. If you're not a managed ecommerce client, please check your version of Woocommerce and upgrade to version 2.3.6 as soon as possible!
We're here to help. Email firstname.lastname@example.org or call us at 717-831-8324 for assistance with updating your site.