Important Security Update: WooCommerce SQL Injection Vulnerability Fixed in version 2.3.6
Popular security firm Wordfence recently discovered an SQL injection vulnerability in version 2.3.5 of the WooCommerce plugin, which was the latest version of the plugin at that time. Soon after being aware of the security risk, the WooCommerce team has pushed a new version of their plugin which fixes the vulnerability. Every WooCommerce user is strongly advised to update their WooCommerce plugin to the latest version.
As a result, WooCommerce version 2.3.6 is now the latest version of the WooCommerce plugin. If you're using Dokan on your website, you are also using WooCommerce, as Dokan is a WooCommerce-based multi-vendor eCommerce solution. So you should head over to your WordPress Update menu and update your WooCommerce plugin to version 2.3.6.
In its blog post, Wordfence explained that the specific SQL injection vulnerability was in the admin panel of WooCommerce. “Within the Tax Settings page of WooCommerce, the key of the ‘tax_rate_country’ POST parameter is passed unescaped into a SQL insert statement,” explained Wordfence. “For example, a payload of tax_rate_country[(SELECT SLEEP(10))]
would cause the MySQL server to sleep for 10 seconds.“
Further adding how this vulnerability could be exploited, the firm wrote, “Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.“
Fortunately for WooCommerce users, there is nothing to be afraid of, as WooCommerce developers were quick to respond and fix the issue with a new version within a few hours of the time they were alerted of the vulnerability. For Dokan users, it is strongly advised that the WooCommerce plugin be updated to the latest version 2.3.6 to avoid any security risk that might be caused by this vulnerability.
Are you using Dokan on your e-commerce site? Please head over to your WordPress Dashboard/Update page and check for plugin updates. You should see WooCommerce version 2.3.6 update available if you haven't updated already.