A critical SQL injection vulnerability was recently fixed in the WordPress plug-in, WooCommerce. The vulnerability poses a threat to over 5 million WordPress websites and can be exploited to obtain access to information stored in the databases of online stores. On a different but related subject, a Zero-Day vulnerability, among other high severity vulnerabilities, was patched in Google’s Chrome Browser. The zero-day flaw is reported as being exploited in the wild.
WooCommerce is an open-source WordPress plug-in that provides e-commerce functionality for a website. In other words, it allows converting a WordPress website to a fully functional online store.
Vulnerability Details
WooCommerce Vulnerability
The SQL injection vulnerability, which has not been assigned any CVE yet, affects the WooCommerce and WooCommerce Blocks feature plug-ins. The flaw’s seriousness was such that WooCommerce was forced to push the patches to online stores through automatic updates. It is yet to be ascertained whether or not the flaw is being actively exploited, Wordfence, whose researchers could provide proofs-of-concept for the flaw, stated that there was very limited information regarding the same.
Chrome Zero-Day: CVE-2021-30563
This flaw brings up the total of Zero-days fixed by Chrome this year to nine. The bug resides in the V8 engine, which is Google’s open-source high-performance JavaScript and WebAssembly engine. While Google did announce that this vulnerability is being exploited in the wild, as per their conventional approach, no additional details about the flaw have been mentioned. The advisory also mentions that the release includes 7 other security fixes, out of which 6 have been assigned the following CVEs:
CVE-2021-30559: Out of bounds write in ANGLE (High)
CVE-2021-30541: Use after free in V8 (High)
CVE-2021-30560: Use after free in Blink XSLT (High)
CVE-2021-30561: Type Confusion in V8 (High)
CVE-2021-30562: Use after free in WebSerial (High)
CVE-2021-30564: Heap buffer overflow in WebXR (Medium)
Affected Products
WooCommerce plug-in versions from 3.3 through 5.5
WooCommerce Blocks plug-in versions from 2.5 through 5.5
Google Chrome versions before 91.0.4472.164
Impact
The WooCommerce vulnerability provides unauthenticated attackers with access to arbitrary data from the databases of online stores.
While no details are available on the impact of the Chrome Zero-Day, a type confusion flaw could lead to code execution in the worst-case scenario.
Solution
The vendor has deployed Automatic software updates for all the major branches of WooCommerce and WooCommerce Blocks. However, the vendor still recommends using the latest versions of the aforementioned plug-ins, i.e. 5.5.1.
Google has released the security updates addressing the issue in Google Chrome version 91.0.4472.164.
SanerNow detects the Google Chrome vulnerabilities and automatically fixes them through patch management by applying security updates. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article which is now replaced by support article ) .