On March 12th a SQL injection vulnerability was discovered in the plugin WooCommerce (Versions 2.3.5 and older) during a code audit.
A fix was released the next day on March 13th by WooCommerce – Version 2.3.6. It is strongly recommended that you update to the new version as soon as possible.
The issue is an SQL injection vulnerability in the admin panel. In the Tax Settings page – the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement.
For example, a payload of tax_rate_country[(SELECT SLEEP(15))]would cause the MySQL server to sleep for 15 seconds.
Due to the fact that this vulnerability requires either a Shop Manager or Admin user account, it would need to be conjunct with an XSS attack in order to be exploited.
You can download the newest version & fix here.
You must be logged in to post a comment.
Text Widget from primary area. Read more
Sorry. No data so far.
© 2012 Toronto Professional services LTD. All rights reserved