WordPress Plugins
A serious vulnerability has been discovered in the extremely popular e-commerce plugin for WordPress, “WooCommerce”.
If left unpatched, a WordPress installation utilizing version 2.3.5 or earlier could be vulnerable to a SQL injection attack that requires Shop Manager or Admin access to be exploited. Similar to the WordPress SEO issue we wrote about yesterday, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.
A patched version of the “WooCommerce” plugin, ver. 2.3.6, has been released to fix this vulnerability and can be downloaded from WordPress.org or directly from WooThemes.
As pointed out in the Wordfence blog, kudos must be given to the rapid turn-around of this patch (less than 24 Hours!) by the folks at WooThemes.
For more details on the vulnerability, please visit:
WooCommerce SQL injection vulnerability (Wordfence Blog)
Although some of the sites we manage utilize WooCommerce, we’ve already taken action to patch those sites against this flaw, so NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.