cbcvebase.
CVE-2021-32789
published 2021-07-26

CVE-2021-32789: woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.23%
96.7th percentile
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

Affected

32 ranges· showing 25
VendorProductVersion rangeFixed in
automatticwoocommerce_blocks>= 2.5.0 < 2.5.162.5.16
automatticwoocommerce_blocks>= 2.6.0 < 2.6.22.6.2
automatticwoocommerce_blocks>= 2.7.0 < 2.7.22.7.2
automatticwoocommerce_blocks>= 2.8.0 < 2.8.12.8.1
automatticwoocommerce_blocks>= 2.9.0 < 2.9.12.9.1
automatticwoocommerce_blocks>= 3.0.0 < 3.0.13.0.1
automatticwoocommerce_blocks>= 3.1.0 < 3.1.13.1.1
automatticwoocommerce_blocks>= 3.2.0 < 3.2.13.2.1
automatticwoocommerce_blocks>= 3.3.0 < 3.3.13.3.1
automatticwoocommerce_blocks>= 3.4.0 < 3.4.13.4.1
automatticwoocommerce_blocks>= 3.5.0 < 3.5.13.5.1
automatticwoocommerce_blocks>= 3.6.0 < 3.6.13.6.1
automatticwoocommerce_blocks>= 3.7.0 < 3.7.23.7.2
automatticwoocommerce_blocks>= 3.8.0 < 3.8.13.8.1
automatticwoocommerce_blocks>= 3.9.0 < 3.9.13.9.1
automatticwoocommerce_blocks>= 4.0.0 < 4.0.14.0.1
automatticwoocommerce_blocks>= 4.1.0 < 4.1.14.1.1
automatticwoocommerce_blocks>= 4.2.0 < 4.2.14.2.1
automatticwoocommerce_blocks>= 4.3.0 < 4.3.14.3.1
automatticwoocommerce_blocks>= 4.4.0 < 4.4.34.4.3
automatticwoocommerce_blocks>= 4.5.0 < 4.5.34.5.3
automatticwoocommerce_blocks>= 4.6.0 < 4.6.14.6.1
automatticwoocommerce_blocks>= 4.7.0 < 4.7.14.7.1
automatticwoocommerce_blocks>= 4.8.0 < 4.8.14.8.1
automatticwoocommerce_blocks>= 4.9.0 < 4.9.24.9.2

Detection & IOCsextracted from sources · hover to see the quote

url/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500
url/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]
  • Look for GET requests to the REST endpoint `/?rest_route=/wc/store/products/collection-data` or `/wc/store/products/collection-data` with the `calculate_attribute_counts[][taxonomy]` parameter containing double-URL-encoded SQL payloads (e.g., `%2522`, `%2529`, `union`, `select`).
  • Successful exploitation returns a JSON response (Content-Type: application/json, HTTP 200) containing the strings `sqli-test`, `attribute_counts`, `price_range`, and `term` in the body — indicating data exfiltration from `wp_users`.
  • The attack is unauthenticated (PR:N) and targets WooCommerce Blocks versions 2.5.0 through 5.5.x. No authentication headers or cookies are required to trigger the SQL injection.
  • ·The SQL injection is read-only; exploitation allows SELECT queries only and cannot be used to write or modify data.
  • ·There are no known workarounds aside from upgrading to a patched version (2.5.16 or later for the 2.5.x branch).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.