WordPress Plugin Vulnerabilities

Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection

Description

The plugin was reported to be affected by a critical Authenticated Blind SQL Injection vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce
Fixed in 5.5.1

References

CVE
CVE-2021-32790
URL
https://github.com/woocommerce/woocommerce/security/advisories/GHSA-7vx5-x39w-q24g
URL
https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
URL
https://twitter.com/WooCommerce/status/1415442447312764931
URL
https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/
URL
https://noc.org/2021/07/15/serious-sqli-in-woocommerce/
URL
https://blog.wpscan.com/critical-woocommerce-vulnerabilities/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Josh (jl-dos)
Verified
No
WPVDB ID
1212fec8-1fde-41e5-af70-abdd7ffe5379

Timeline

Publicly Published
2021-07-15 (about 4 years ago)
Added
2021-07-15 (about 4 years ago)
Last Updated
2023-01-23 (about 2 years ago)

Other

Published
Title
Published
2025-05-07
Title
YaySMTP < 2.6.5 - Authenticated (Administrator+) SQL Injection
Published
2023-11-28
Title
WordPress Brute Force Protection < 2.2.6 - Admin+ SQLi
Published
2021-09-21
Title
Game Server Status <= 1.0 - Contributor+ SQL Injection
Published
2023-12-28
Title
WS Form LITE < 1.9.171 - Authenticated(Administrator+) SQL Injection
Published
2025-03-21
Title
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit < 3.5.2 - Unauthenticated SQL Injection via 'automationId'