Three standard ecommerce plugins for WordPress (WP) installations, open to SQL injection assaults since December 2022, have been patched, defending companies from risk actors modifying or deleting their web sites.
The three affected plugins, as found by Tenable safety researcher Joshua Martinelle (opens in new tab) (through BleepingComputer (opens in new tab)), had been ‘Paid Memberships Pro (opens in new tab)’, a subscription administration instrument energetic on over 100,000 installations, ‘Easy Digital Downloads (opens in new tab)’, an e-commerce instrument energetic on over 50,000 installations, and ‘Survey Marker (opens in new tab)’ (a market analysis instrument with over 3,000 energetic installations)
SQL injections are safety flaws that permit attackers to enter information into web site varieties or URLs to switch databases. Attackers can use vulnerabilities that permit SQL injections to inject scripts designed to switch web sites, or acquire unauthorized entry to their backends.
WordPress SQL injections
Whereas all web sites could be weak to SQL injection throughout growth, WordPress installations, hosted on a preferred, centralized platform stocked with many frequent plugins, are a preferred goal for risk actors searching for exploits.
In January 2023 alone, TechRadar Professional has reported on different WP plugins providing dwell chat performance being leveraged, over the course of three years, to execute JavaScript code that redirects customers to malicious web sites, in addition to one other comparable exploit focusing on a plug-in including reward card performance to on-line shops.
Fortunately, after disclosure of the failings and the discharge of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022, the builders of the plugins moved quick to deal with the failings, with fixes being launched in a matter of weeks, and even days.
A repair for ‘Survey Maker’, as a part of model 3.1.2 of the plugin, was launched as quickly because the twenty first of December. ‘Paid Memberships Pro’ adopted on the twenty seventh, with a repair rolled into model 2.9.8, and ‘Easy Digital Downloads’ adopted on 5 January 2023 as a part of model 3.1.0.4.
In the event that they haven’t already, affected customers are suggested to replace these plugins to the most recent variations to guard themselves from SQL injection assaults for the foreseeable future.
OnePlus Bullets Z2 Bluetooth Wireless in Ear Earphones with Mic, Bombastic Bass - 12.4 Mm Drivers, 10 Mins Charge - 20 Hrs Music, 30 Hrs Battery Life (Magico Black)
Fire-Boltt Phoenix Smart Watch with Bluetooth Calling 1.3",120+ Sports Modes, 240*240 PX High Res with SpO2, Heart Rate Monitoring & IP67 Rating
Fire-Boltt Ninja Call Pro Plus 1.83" Smart Watch with Bluetooth Calling, AI Voice Assistance, 100 Sports Modes IP67 Rating, 240*280 Pixel High Resolution
OnePlus Nord 2T 5G (Jade Fog, 8GB RAM, 128GB Storage)
Noise ColorFit Pulse Grand Smart Watch with 1.69"(4.29cm) HD Display, 60 Sports Modes, 150 Watch Faces, Fast Charge, Spo2, Stress, Sleep, Heart Rate Monitoring & IP68 Waterproof (Jet Black)
Noise Pulse Go Buzz Bluetooth Calling Smart Watch, 1.69" Clear Display, 550Nits,150+ Watch face, Comfort Strap, Heart Rate, Steps & Sleep Tracker, IP68, 7 Days Battery(Jet Black)
OnePlus Nord Buds True Wireless in Ear Earbuds with Mic, 12.4mm Titanium Drivers, Playback:Up to 30hr case, 4-Mic Design + AI Noise Cancellation, IP55 Rating, Fast Charging (Black Slate)
OnePlus Bullets Z2 Bluetooth Wireless in Ear Earphones with Mic, Bombastic Bass - 12.4 Mm Drivers, 10 Mins Charge - 20 Hrs Music, 30 Hrs Battery Life (Acoustic Red)
boAt Airdopes 141 Bluetooth Truly Wireless in Ear Earbuds with mic, 42H Playtime, Beast Mode(Low Latency Upto 80ms) for Gaming, ENx Tech, ASAP Charge, IWP, IPX4 Water Resistance (Bold Black)
