Thousands of WordPress sites could be at risk, so patch now
>
Three popular e-commerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, are patchedprotect companies from threat actors who modify or remove their websites.
The three affected plugins, as discovered by Tenable security researcher Joshua Martinelle (opens in new tab) (through Beeping computer (opens in new tab)), goods ‘Paid Memberships Pro (opens in new tab)‘, a subscription management tool that is active on more than 100,000 installations,’Simple digital downloads (opens in new tab)‘, an e-commerce tool active on more than 50,000 installations, and ‘Survey Marker (opens in new tab)‘ (a market research tool with over 3,000 active installs)
SQL injections are security flaws that allow attackers to enter data into website forms or URLs to modify databases. Attackers can use vulnerabilities that enable SQL injections to inject scripts designed to modify websites or gain unauthorized access to their backends.
WordPress SQL Injections
While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular, centralized platform packed with widely used plugins, are a popular target for threat actors looking for exploits.
In January 2023 alone, Tech Radar Pro has reported on other WP plugin offerings live chat functionality used over the course of three years to execute JavaScript code that redirects users to malicious websites, as well as another similar abuse targeting a plugin adding gift card functionality online stores.
Fortunately, after the disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on December 19, 2022, the plugin developers moved quickly to address the flaws, with fixes that be released within weeks, or even days.
A fix for ‘Survey Maker’, as part of the plugin version 3.1.2, was released on December 21. Paid Memberships Pro followed on the 27th, with a fix in version 2.9.8, and Easy Digital Downloads followed on January 5, 2023 as part of version 3.1.0.4.
If they have not already done so, affected users are advised to update these plugins to the latest versions to protect themselves against SQL injection attacks in the near future.