Impact
This vulnerability impacts all WooCommerce sites running 3.3.0 or later of the WooCommerce plugin. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of /wp-json/wc/v3/webhooks
, /wp-json/wc/v2/webhooks
and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting search
parameter information can be disclosed using timing and related attacks.
Patches
diff --git a/includes/data-stores/class-wc-webhook-data-store.php b/includes/data-stores/class-wc-webhook-data-store.php
index 7feed6e4cc..0815e28fe0 100644
--- a/includes/data-stores/class-wc-webhook-data-store.php
+++ b/includes/data-stores/class-wc-webhook-data-store.php
@@ -277,7 +277,7 @@ class WC_Webhook_Data_Store implements WC_Webhook_Data_Store_Interface {
$limit = -1 < $args['limit'] ? $wpdb->prepare( 'LIMIT %d', $args['limit'] ) : '';
$offset = 0 < $args['offset'] ? $wpdb->prepare( 'OFFSET %d', $args['offset'] ) : '';
$status = ! empty( $args['status'] ) ? $wpdb->prepare( 'AND `status` = %s', isset( $statuses[ $args['status'] ] ) ? $statuses[ $args['status'] ] : $args['status'] ) : '';
- $search = ! empty( $args['search'] ) ? "AND `name` LIKE '%" . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . "%'" : '';
+ $search = ! empty( $args['search'] ) ? $wpdb->prepare( "AND `name` LIKE %s", '%' . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . '%' ) : '';
$include = '';
$exclude = '';
$date_created = '';
Workarounds
No workarounds are available for vulnerability.
References
A8C SIRT: p3btAN-1ve-p2 (internal)
Public disclosure: https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
Impact
This vulnerability impacts all WooCommerce sites running 3.3.0 or later of the WooCommerce plugin. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of
/wp-json/wc/v3/webhooks
,/wp-json/wc/v2/webhooks
and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully craftingsearch
parameter information can be disclosed using timing and related attacks.Patches
Workarounds
No workarounds are available for vulnerability.
References
A8C SIRT: p3btAN-1ve-p2 (internal)
Public disclosure: https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/