WooCommerce & WooCommerce Blocks Plugins for WordPress Unauthenticated SQL Injection

high Web App Scanning Plugin ID 112906

Language:

Synopsis

WooCommerce & WooCommerce Blocks Plugins for WordPress Unauthenticated SQL Injection

Description

WordPress WooCommerce plugin versions 3.3 through 5.5.0 and WooCommerce Blocks feature plugins versions 2.5 through 5.5.0 are vulnerable to an unauthenticated SQL injection vulnerability.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Solution

See the publisher's website to apply the corresponding patch of your WooCommerce or WooCommerce Blocks feature version.

See Also

https://patchstack.com/woocommerce-sql-injection-vulnerability/

https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx

https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

Plugin Details

Severity: High

ID: 112906

Type: remote

Family: Component Vulnerability

Published: 7/21/2021

Updated: 9/7/2021

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:woocommerce:woocommerce:*:*:*:*:*:wordpress:*:*

Reference Information

CWE: 89

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6

WASC: SQL Injection

CAPEC: 108, 109, 110, 470, 66, 7

DISA STIG: APSC-DV-002540, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5.1