This security advisory is written about the WooCommerce SQL Injection vulnerability. Patchstack users are safe from the vulnerability.
Update July 16th, 2021: we have seen a few attacks starting to happen around the evening time on July 15th, 2021. These attacks seem to be very limited so far, but seem to be using UNION and SLEEP based SQL injections. We have added a IOC section below.
On July 15th, 2021, WooCommerce made an announcement that the WooCommerce (versions 3.3 through 5.5.0) and WooCommerce Blocks feature plugins (versions 2.5 through 5.5.0) were vulnerable to a critical SQL injection vulnerability which was found by Josh at HackerOne.
They released a patch immediately which fixes these vulnerabilities. Patchstack also released a vPatch which fixes the vulnerability for any user who is running a site with the vulnerable WooCommerce version installed.
Note that as the publication of this vulnerability is still very new, we will not provide too much information on the vulnerability and only analyze the patch without going into detail on how exactly this vulnerability can be exploited.
The patch
The patch for this vulnerability can be found in the WordPress plugin directory located here. Below is included an image of the changes between version 5.5.0 and 5.5.1. This shows that 2 core files were modified. The patch for the WooCommerce Blocks plugin is identical to what is displayed below.
The first modified file is regarding a webhook search function that injected the search parameter into a SQL query without using a prepared statement.
Although the functions sanitize_text_field and esc_like were used, the esc_like function should only be used in combination with a prepared statement, which was not used in versions 5.5.0 and below.
The second modified file is regarding a public-facing API endpoint which does not require any authentication. The $attributes parameter in this endpoint (line 86) is taken from the user input and then processed and injected into a SQL query that was not properly escaped.
More specifically, the only sanitization against this parameter was the sanitize_title function (through wc_sanitize_taxonomy_name). However, this does not provide sufficient protection.
At this time we have not seen any indicators that it is being abused yet, but we will be monitoring this vulnerability closely and update this article once we have seen any indication that it is being exploited.
IOC
These are potential indicators of compromise. So far we have seen a few attacks from these IP addresses and the keywords that were used as part of the SQL injection attack in the URL.
IP Addresses:
107.173.148.66
84.17.37.76
35.224.194.223
66.29.134.28
162.55.10.138
Keywords:
sqli-test
nuclei-pdteam
The solution
If the WooCommerce or WooCommerce Blocks plugins have not been updated yet, you should update them as soon as possible. Although we have not seen indicators of exploitation yet, this could happen at any moment and could potentially cause a data leak of your site.
If you have Patchstack installed, you are protected from this vulnerability, but it is always strongly advised to update or delete vulnerable plugins from your site.
WordPress Vulnerability Database Entries:
1) WooCommerce
2) WooCommerce Blocks