Quote:A critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been under attack as a zero-day bug, researchers have disclosed.
The exploitation prompted WooCommerce to release an emergency patch for the issue late on Wednesday. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
WooCommerce, a popular open-source e-commerce platform for websites running on WordPress, is installed on more than 5 million websites globally. It allows online merchants to create storefronts with various customizable options such as payment types accepted, shipping features, sales tax calculations and so on.
The related plugin affected by the bug is the WooCommerce Blocks feature, which is installed on more than 200,000 sites. It helps merchants display their products on webpages.
The bug (CVE pending) was originally reported by Josh Ledford of Richmond, Va.-based Development Operations Security (DOS), with disclosure coordination help from HackerOne security researcher Thomas DeVoss (dawgyg). DeVoss said via Twitter that he was able to pull together a working proof-of-concept exploit, but that he wouldn’t release details of the bug until after there’s been time for merchants to apply the patch.
So, technical details are scant apart from the fact that it allows SQL injection – a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database. Usually this is carried out by inserting malicious SQL statements into an entry field for execution.
Read more: Zero-Day Attacks on Critical WooCommerce Bug Threaten Databases | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
