First published: Mon Jul 26 2021(Updated: )
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Automattic Woocommerce Blocks | >=2.5.0<2.5.16 | |
Automattic Woocommerce Blocks | >=2.6.0<2.6.2 | |
Automattic Woocommerce Blocks | >=2.7.0<2.7.2 | |
Automattic Woocommerce Blocks | >=2.8.0<2.8.1 | |
Automattic Woocommerce Blocks | >=2.9.0<2.9.1 | |
Automattic Woocommerce Blocks | >=3.0.0<3.0.1 | |
Automattic Woocommerce Blocks | >=3.2.0<3.2.1 | |
Automattic Woocommerce Blocks | >=3.4.0<3.4.1 | |
Automattic Woocommerce Blocks | >=3.5.0<3.5.1 | |
Automattic Woocommerce Blocks | >=3.6.0<3.6.1 | |
Automattic Woocommerce Blocks | >=3.7.0<3.7.2 | |
Automattic Woocommerce Blocks | >=3.8.0<3.8.1 | |
Automattic Woocommerce Blocks | >=3.9.0<3.9.1 | |
Automattic Woocommerce Blocks | >=4.0.0<4.0.1 | |
Automattic Woocommerce Blocks | >=4.1.0<4.1.1 | |
Automattic Woocommerce Blocks | >=4.2.0<4.2.1 | |
Automattic Woocommerce Blocks | >=4.3.0<4.3.1 | |
Automattic Woocommerce Blocks | >=4.4.0<4.4.3 | |
Automattic Woocommerce Blocks | >=4.5.0<4.5.3 | |
Automattic Woocommerce Blocks | >=4.6.0<4.6.1 | |
Automattic Woocommerce Blocks | >=4.7.0<4.7.1 | |
Automattic Woocommerce Blocks | >=4.8.0<4.8.1 | |
Automattic Woocommerce Blocks | >=4.9.0<4.9.2 | |
Automattic Woocommerce Blocks | >=5.0.0<5.0.1 | |
Automattic Woocommerce Blocks | >=5.1.0<5.1.1 | |
Automattic Woocommerce Blocks | >=5.2.0<5.2.1 | |
Automattic Woocommerce Blocks | >=5.3.0<5.3.2 | |
Automattic Woocommerce Blocks | >=5.4.0<5.4.1 | |
Automattic Woocommerce Blocks | >=5.5.0<5.5.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32789 is an SQL injection vulnerability that impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16.
The severity of CVE-2021-32789 is high, with a CVSS score of 7.5.
CVE-2021-32789 allows an attacker to execute malicious SQL queries through a carefully crafted URL, potentially leading to unauthorized access or data manipulation.
To fix CVE-2021-32789, WooCommerce sites running the affected versions need to update to version 2.5.16 or higher of the WooCommerce Blocks feature plugin.
More information about CVE-2021-32789 can be found in the references provided: [GitHub Pull Request](https://github.com/woocommerce/woocommerce-gutenberg-products-block-ghsa-6hq4-w6wv-8wrp/pull/1), [GitHub Security Advisory](https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrp), [HackerOne Report](https://hackerone.com/reports/1260787).