Three standard ecommerce plugins for WordPress (WP) installations, open to SQL injection assaults since December 2022, have been patched, defending companies from risk actors modifying or deleting their web sites.
The three affected plugins, as found by Tenable safety researcher Joshua Martinelle (opens in new tab) (through BleepingComputer (opens in new tab)), had been ‘Paid Memberships Pro (opens in new tab)’, a subscription administration instrument energetic on over 100,000 installations, ‘Easy Digital Downloads (opens in new tab)’, an e-commerce instrument energetic on over 50,000 installations, and ‘Survey Marker (opens in new tab)’ (a market analysis instrument with over 3,000 energetic installations)
SQL injections are safety flaws that permit attackers to enter information into web site varieties or URLs to switch databases. Attackers can use vulnerabilities that permit SQL injections to inject scripts designed to switch web sites, or acquire unauthorized entry to their backends.
WordPress SQL injections
Whereas all web sites could be weak to SQL injection throughout growth, WordPress installations, hosted on a preferred, centralized platform stocked with many frequent plugins, are a preferred goal for risk actors searching for exploits.
Fortunately, after disclosure of the failings and the discharge of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022, the builders of the plugins moved quick to deal with the failings, with fixes being launched in a matter of weeks, and even days.
A repair for ‘Survey Maker’, as a part of model 3.1.2 of the plugin, was launched as quickly because the twenty first of December. ‘Paid Memberships Pro’ adopted on the twenty seventh, with a repair rolled into model 2.9.8, and ‘Easy Digital Downloads’ adopted on 5 January 2023 as a part of model 220.127.116.11.
In the event that they haven’t already, affected customers are suggested to replace these plugins to the most recent variations to guard themselves from SQL injection assaults for the foreseeable future.