CVE-2021-32789
published 2021-07-26CVE-2021-32789: woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.23%
96.7th percentile
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | woocommerce_blocks | >= 2.5.0 < 2.5.16 | 2.5.16 |
| automattic | woocommerce_blocks | >= 2.6.0 < 2.6.2 | 2.6.2 |
| automattic | woocommerce_blocks | >= 2.7.0 < 2.7.2 | 2.7.2 |
| automattic | woocommerce_blocks | >= 2.8.0 < 2.8.1 | 2.8.1 |
| automattic | woocommerce_blocks | >= 2.9.0 < 2.9.1 | 2.9.1 |
| automattic | woocommerce_blocks | >= 3.0.0 < 3.0.1 | 3.0.1 |
| automattic | woocommerce_blocks | >= 3.1.0 < 3.1.1 | 3.1.1 |
| automattic | woocommerce_blocks | >= 3.2.0 < 3.2.1 | 3.2.1 |
| automattic | woocommerce_blocks | >= 3.3.0 < 3.3.1 | 3.3.1 |
| automattic | woocommerce_blocks | >= 3.4.0 < 3.4.1 | 3.4.1 |
| automattic | woocommerce_blocks | >= 3.5.0 < 3.5.1 | 3.5.1 |
| automattic | woocommerce_blocks | >= 3.6.0 < 3.6.1 | 3.6.1 |
| automattic | woocommerce_blocks | >= 3.7.0 < 3.7.2 | 3.7.2 |
| automattic | woocommerce_blocks | >= 3.8.0 < 3.8.1 | 3.8.1 |
| automattic | woocommerce_blocks | >= 3.9.0 < 3.9.1 | 3.9.1 |
| automattic | woocommerce_blocks | >= 4.0.0 < 4.0.1 | 4.0.1 |
| automattic | woocommerce_blocks | >= 4.1.0 < 4.1.1 | 4.1.1 |
| automattic | woocommerce_blocks | >= 4.2.0 < 4.2.1 | 4.2.1 |
| automattic | woocommerce_blocks | >= 4.3.0 < 4.3.1 | 4.3.1 |
| automattic | woocommerce_blocks | >= 4.4.0 < 4.4.3 | 4.4.3 |
| automattic | woocommerce_blocks | >= 4.5.0 < 4.5.3 | 4.5.3 |
| automattic | woocommerce_blocks | >= 4.6.0 < 4.6.1 | 4.6.1 |
| automattic | woocommerce_blocks | >= 4.7.0 < 4.7.1 | 4.7.1 |
| automattic | woocommerce_blocks | >= 4.8.0 < 4.8.1 | 4.8.1 |
| automattic | woocommerce_blocks | >= 4.9.0 < 4.9.2 | 4.9.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500↗
- →Look for GET requests to the REST endpoint `/?rest_route=/wc/store/products/collection-data` or `/wc/store/products/collection-data` with the `calculate_attribute_counts[][taxonomy]` parameter containing double-URL-encoded SQL payloads (e.g., `%2522`, `%2529`, `union`, `select`). ↗
- →Successful exploitation returns a JSON response (Content-Type: application/json, HTTP 200) containing the strings `sqli-test`, `attribute_counts`, `price_range`, and `term` in the body — indicating data exfiltration from `wp_users`. ↗
- →The attack is unauthenticated (PR:N) and targets WooCommerce Blocks versions 2.5.0 through 5.5.x. No authentication headers or cookies are required to trigger the SQL injection. ↗
- ·The SQL injection is read-only; exploitation allows SELECT queries only and cannot be used to write or modify data. ↗
- ·There are no known workarounds aside from upgrading to a patched version (2.5.16 or later for the 2.5.x branch). ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
nuclei·CVSS 7.5
CVE-2021-32789 [HIGH] WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Template:
id: CVE-2021-32789
info:
name: WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
author: rootxharsh,iamnoooob,S1r1u5_,cooki
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2021
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from August-October 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, say, cross-site scripting or denial of service.
Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. For example, we chart a timeframe showing how frequently the most commonly exploited vulnerabilities were attacked through networks and the locations from which the att
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
CVE-2021-24499 [CRITICAL] Network Security Trends: August-October 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2021
Yue Guan
Published: December 21, 2021
Trend Reports
Vulnerabilities
Attack analysis
Buffer Overflow
Command injection
Cross-site request forgery
Cross-site scripting
CVE-2021-24499
CVE-2021-26084
CVE-2021-32789
CVE-2021-33357
CVE-2021-33766
CVE-2021-34473
CVE-2021-35395
CVE-2021-38647
CVE-2021-40438
CVE-2021-40870
CVE-2021-41773
CVE-2021-42013
Denial of service
Directory traversal
Exploit in the wild
Improper authentication
Information disclosure
Memory corruption
Network security trends
Out-of-bounds read
Privilege escalation
Remote Code Execution
Security feature bypass
SQL injection
## Executive Summary
Unit 42 researchers continually observe net
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/woocommerce/woocommerce-gutenberg-products-block-ghsa-6hq4-w6wv-8wrp/pull/1https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrphttps://hackerone.com/reports/1260787https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-via-store-api/https://github.com/woocommerce/woocommerce-gutenberg-products-block-ghsa-6hq4-w6wv-8wrp/pull/1https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrphttps://hackerone.com/reports/1260787https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-via-store-api/
2021-07-26
Published
Exploited in the wild