Critical Unauthenticated SQL Injection Vulnerability Patched in WooCommerce Cyber

or to bookmark this page

Click here to bookmark this page

Click here to remove bookmark

Critical Unauthenticated SQL Injection Vulnerability Patched in WooCommerce

  • Roman Guillermo Roman Guillermo
  • George Glass George Glass
  • Cristhian Parrot Cristhian Parrot

Critical SQL Injection Vulnerability Patched WooCommerce

On July 14, 2021, WooCommerce issued an emergency patch for a critical vulnerability allowing an unauthenticated attacker to access arbitrary data in an online store’s database.

WooCommerce is one of the most popular e-commerce platforms in the world and is installed on over five million websites. Additionally, the WooCommerce Blocks feature plugin, which is installed on more than 200,000 sites, was affected by the vulnerability and was patched at the same time.

The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin. Versions below WooCommerce 3.3 do not appear to be affected.

At the time of writing, there was no CVE assigned to this vulnerability. It is probably because the WooCommerce team has quickly fixed the issue after reporting it. Kroll has not identified any public exploits, although with details now public, we have seen proof-of-concept exploits against vulnerable versions of WooCommerce, and threat actors may now be able to create their own exploits.

If not already done, Kroll advises clients to take the following steps as soon as possible:

  • Check if you are using affected software version (versions below WooCommerce 3.3 do not seem to be affected)
  • If so, check for signs of compromise such as suspicious queries in server or database logs
  • Immediately install patched or the latest software version
  • Update the passwords for any Administrator users on all your sites, especially if they reuse the same passwords on multiple websites
  • Rotate any payment gateway and WooCommerce API keys used on your sites

WooCommerce advises checking for evidence of the following IP addresses in web access logs, which have been detected exploiting this vulnerability:

  • 137.116.119[.]175
  • 162.158.78[.]41
  • 103.233.135[.]21

According to WooCommerce, over 98% of detected exploit attempts have originated from the first IP address in the list. If these addresses appear in web access logs, assume compromise and move to incident response footing.

Diving Into the Vulnerability

The vulnerability was a time-based Blind SQL Injection, although it appears that UNION-based SQL Injection may be possible with this vulnerability, which would mean that an attacker can more quickly retrieve the database information.

WooCommerce has also published a series of regular expressions that can be used to search for relevant lines in web access log files. These regular expressions will hopefully help locate and analyze potential compromise.

  • Requests matching the regular expression: /\/wp-json\/wc\/store\/products\/collection-data.*%25252.*/
  • Requests matching the regular expression: /.*\/wc\/store\/products\/collection-data.*%25252.*/ (note that this expression is not efficient/is slow to run in most logging environments)
  • Any request to /wp-json/wc/store/products/collection-data or /?rest_route=/wc/store/products/collection-data using POST or PUT methods.

Critical SQL Injection Vulnerability Patched WooCommerce

Figure 1 – Test of the vulnerability in the Kroll forensics lab showing the SQL injection queries in server’s logs

Regardless of any perimeter protection system you may have, proactively keeping your CMS software up to date is the best possible protection against today’s web attacks and significantly reduces the risk of vulnerabilities being exploited by threat actors.

It’s important to remember there are many legitimate reasons for a company to keep an unpatched vulnerability in place for business or operational reasons. Maintaining a program that can monitor and understand the impact of new vulnerabilities to determine how soon to patch requires considerable resources beyond what many smaller teams can undertake. A mature cyber security program would balance vulnerability management investments with a stronger ability to detect and respond to incidents, which provides a more robust defensive posture.

WooCommerce advisory:
WPSEC proof of concept details:
Official updates regarding WooCommerce:

Critical Unauthenticated SQL Injection Vulnerability Patched in WooCommerce 2021-08-16T00:00:00.0000000 /en/insights/publications/cyber/critical-sql-injection-vulnerability-patched-woocommerce /-/media/kroll/images/publications/featured-images/critical-sql-injection-vulnerability-patched-woocommerce.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {1CF418EA-8C84-4BCD-BB0A-320F07DB9AB5} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {010E62CD-5FFC-47D2-9A88-ACC26BCD8EAC} {058CEC4B-AB74-4982-A8CC-B399FCB93BB2} {A3E80394-4BDC-4E1D-8266-0653FE885E69} {34183564-0FD0-4B23-83DD-F39E7A73B28B}

Stay Ahead with Kroll

Cyber Risk

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk
System Assessments and Testing

Cyber Vulnerability Assessment

Services using cutting-edge tools to help clients map a prioritized path to increased cyber security.

Cyber Vulnerability Assessment
Incident Response and Litigation Support

24x7 Incident Response

Compliant notifications, reputation-saving remediation, and litigation support.

24x7 Incident Response
Cyber Risk Retainers

Cyber Risk Retainers

Secure a true cyber risk retainer with elite digital forensics and incident response capabilities.

Cyber Risk Retainers
Has COVID-19 Impacted Your Ability to Preserve Evidence for Future Litigation?

Ransomware Preparedness Assessment

Helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Ransomware Preparedness Assessment
Cyber Risk: The New Due Diligence Frontier, Identity Monitoring

Data Breach Notification Letters

Notification letters personalized by industry including healthcare, financial, legal and others.

Data Breach Notification Letters



The THIP Model: Embedding Emotional Intelligence in Third-Party Risk Management

Episode 17

Post-Pandemic Terrorism Threats and How Company Leaders Can Approach This Risk

Episode 17