Saturday, May 21st, 2022

Unauthorized SQL injection vulnerability discovered in WooCommerce

An unauthorized SQL injection vulnerability affecting versions of WooCommerce on more than 5 million websites on the Internet has been disclosed to the public by Automattic.

Due to the nature of the vulnerability, the WooCommerce team is introducing mandatory patching on smaller versions – even if automatic plugin updates are disabled within WooCommerce or Pagely.

vulnerability description

We will not provide specific details, but we can say that the function wc_sanitize_taxonomy_name allows a vulnerability to occur due to the use of the nested urldecode function.

How Pagely Customers Are Affected

We’ve reached out directly to all of our customers who are using the affected version of WooCommerce. If you haven’t received that notification, please be aware that patches are being rolled out directly by the software vendor, not Pagely. We are monitoring issues on our part, and will be scanning periodically to confirm that all sites hosted by Pagely are receiving updates. If we see an issue specifically affecting your site, we’ll get in touch with a support ticket.

If you manage your codebase using Git, please ensure that the patched version makes it to your repository to prevent regression during your next deployment.

Conclusion

Although very rare, vulnerabilities of this severity require proactive action to keep you safe. That’s why WooCommerce decided to force updates to minor versions. To be clear, even if you have requested Pagely not to implement automatic updates, this update will still come directly from the vendor.

We wanted you to know that we are aware of this vulnerability. From the moment it was made public, we have been following along and making sure our customers are aware too. If you have any questions, please don’t hesitate to contact our support team.

Source link