WooCommerce, an open-source Ecommerce solution integrated into more than 5 million active WordPress sites, released emergency patches yesterday in order to address a new vulnerability. There is considerable evidence that the attack has been successfully attempted in the wild against targeted victims. Details have not yet been publicly disclosed in order to give merchants time to install the patch, but security researchers have determined that this is an SQL injection that allows the attacker to access information in the underlying database, including any customer information such as credit card numbers as well as employee credentials that could be used to in a chain of further attacks. The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin. Automated updates are being rolled out, but these may be unsuccessful if the latest version within a release branch has not been installed. See the link below for details.
Analyst Notes
To the extent that securing customer information is prioritized in an organization’s risk management framework, such as those websites subject to GDPR, users of the WooCommerce solution should prioritize deployment of the emergency patch. While the patch should be automatic for most installations of recent versions, this means that upgrading WooCommerce to a version that can deploy the patch is of equal importance. The attack is already being employed and it is likely when further details are released that more widespread campaigns will be initiated. Wordfence researchers have released several details about the attack based on client reports and telemetry:
Requests with SQL statements in log files such as /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data or query strings such as %2525 may indicate a compromise.
Several IP addresses have been found to be used in successful attacks: 107.173.148.66
84.17.37.76
122.161.49.71
Zero-Day Attacks on Critical WooCommerce Bug Threaten Databases