WooCommerce, an open-source Ecommerce solution integrated into more than 5 million active WordPress sites, released emergency patches yesterday in order to address a new vulnerability. There is considerable evidence that the attack has been successfully attempted in the wild against targeted victims. Details have not yet been publicly disclosed in order to give merchants time to install the patch, but security researchers have determined that this is an SQL injection that allows the attacker to access information in the underlying database, including any customer information such as credit card numbers as well as employee credentials that could be used to in a chain of further attacks. The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin. Automated updates are being rolled out, but these may be unsuccessful if the latest version within a release branch has not been installed. See the link below for details.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in