cbcvebase.
CVE-2021-32790
published 2021-07-26

CVE-2021-32790: Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin…

PriorityP277medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.26%
66.1th percentile
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.

Affected

24 ranges
VendorProductVersion rangeFixed in
woocommercewoocommerce
woocommercewoocommerce>= 3.3.0 < 3.3.63.3.6
woocommercewoocommerce>= 3.4.0 < 3.4.83.4.8
woocommercewoocommerce>= 3.5.0 < 3.5.93.5.9
woocommercewoocommerce>= 3.6.0 < 3.6.63.6.6
woocommercewoocommerce>= 3.7.0 < 3.7.23.7.2
woocommercewoocommerce>= 3.8.0 < 3.8.23.8.2
woocommercewoocommerce>= 3.9.0 < 3.9.43.9.4
woocommercewoocommerce>= 4.0.0 < 4.0.24.0.2
woocommercewoocommerce>= 4.1.0 < 4.1.24.1.2
woocommercewoocommerce>= 4.2.0 < 4.2.34.2.3
woocommercewoocommerce>= 4.3.0 < 4.3.44.3.4
woocommercewoocommerce>= 4.4.0 < 4.4.24.4.2
woocommercewoocommerce>= 4.5.0 < 4.5.34.5.3
woocommercewoocommerce>= 4.6.0 < 4.6.34.6.3
woocommercewoocommerce>= 4.7.0 < 4.7.24.7.2
woocommercewoocommerce>= 4.8.0 < 4.8.14.8.1
woocommercewoocommerce>= 4.9.0 < 4.9.34.9.3
woocommercewoocommerce>= 5.0.0 < 5.0.15.0.1
woocommercewoocommerce>= 5.1.0 < 5.1.15.1.1
woocommercewoocommerce>= 5.2.0 < 5.2.35.2.3
woocommercewoocommerce>= 5.3.0 < 5.3.15.3.1
woocommercewoocommerce>= 5.4.0 < 5.4.25.4.2
woocommercewoocommerce>= 5.5.0 < 5.5.15.5.1

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.