Three popular e-commerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, have been patchedprotecting businesses from malicious actors modifying or deleting their websites.
The three plugins concerned, as discovered by Joshua Martinelle, security researcher at Tenable (opens in a new tab) (via BeepComputer (opens in a new tab)), have been ‘Pro paid subscriptions (opens in a new tab)‘, a subscription management tool active on more than 100,000 installations, ‘Easy digital downloads (opens in a new tab)‘, an e-commerce tool active on more than 50,000 installations, and ‘Survey Marker (opens in a new tab)‘ (a market research tool with over 3,000 active installs)
SQL injections are security holes that allow attackers to enter data into website forms or URLs to modify databases. Attackers can use vulnerabilities that allow SQL injections to inject scripts designed to modify websites or gain unauthorized access to their backends.
WordPress SQL Injections
While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular centralized platform stocked with many common plugins, are a popular target for threat actors seeking of exploits.
In January 2023 alone, Tech Radar Pro has reported on other WP plugin offers live chat feature exploited, over a three-year period, to execute JavaScript code that redirects users to malicious websites, as well as another similar feat targeting a plugin that adds gift card functionality to online stores.
Fortunately, after Martinelle disclosed the flaws and published proof-of-concept (PoC) exploits on WordPress on December 19, 2022, the plugin developers acted quickly to fix the flaws, with patches being released within weeks. , even days.
A patch for ‘Survey Maker’, as part of plugin version 3.1.2, was released as early as December 21. “Paid Memberships Pro” followed on the 27th, with a fix incorporated into version 2.9.8, and “Easy Digital Downloads” followed on January 5, 2023 as part of version 3.1.0.4.
If they have not already done so, affected users are advised to update these plugins to the latest versions to protect against SQL injection attacks for the foreseeable future.