WordPress Plugin Vulnerabilities

WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection

Description

The plugin was reported to be affected by a critical Unauthenticated SQL Injection vulnerability.

Affects Plugins

Plugin icon
woo-gutenberg-products-block
Fixed in 5.5.1

References

CVE
CVE-2021-32789
URL
https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrp
URL
https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
URL
https://twitter.com/WooCommerce/status/1415442447312764931
URL
https://noc.org/2021/07/15/serious-sqli-in-woocommerce/
URL
https://blog.wpscan.com/critical-woocommerce-vulnerabilities/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Josh (jl-dos)
Verified
No
WPVDB ID
0f2089dc-9376-4d7d-95a2-25c99526804a

Timeline

Publicly Published
2021-07-15 (about 4 years ago)
Added
2021-07-15 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-11-13
Title
WP Fastest Cache < 1.2.2 - Unauthenticated SQL Injection
Published
2021-08-22
Title
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
Published
2025-01-07
Title
MindValley Super PageMash <= 1.1 - Authenticated (Editor+) SQL Injection
Published
2025-09-10
Title
All in one Minifier <= 3.2 - Unauthenticated SQL Injection
Published
2025-06-05
Title
ShortLinks Pro < 1.0.8 - Authenticated (Administrator+) SQL Injection