Three popular ecommerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, have been patched, protecting businesses from threat actors modifying or deleting their websites.
The three affected plugins, as discovered by Tenable security researcher Joshua Martinelle (opens in new tab) (via BleepingComputer (opens in new tab)), were ‘Paid Memberships Pro (opens in new tab)’, a subscription management tool active on over 100,000 installations, ‘Easy Digital Downloads (opens in new tab)’, an e-commerce tool active on over 50,000 installations, and ‘Survey Marker (opens in new tab)’ (a market research tool with over 3,000 active installations)
SQL injections are security flaws that allow attackers to input data into website forms or URLs to modify databases. Attackers can use vulnerabilities that allow SQL injections to inject scripts designed to modify websites, or gain unauthorized access to their backends.
WordPress SQL injections
While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular, centralized platform stocked with many common plugins, are a popular target for threat actors looking for exploits.
In January 2023 alone, TechRadar Pro has reported on other WP plugins offering live chat functionality being leveraged, over the course of three years, to execute JavaScript code that redirects users to malicious websites, as well as another similar exploit targeting a plug-in adding gift card functionality to online stores.
Thankfully, after disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022, the developers of the plugins moved fast to address the flaws, with fixes being released in a matter of weeks, or even days.
A fix for ‘Survey Maker’, as part of version 3.1.2 of the plugin, was released as soon as the 21st of December. ‘Paid Memberships Pro’ followed on the 27th, with a fix rolled into version 2.9.8, and ‘Easy Digital Downloads’ followed on 5 January 2023 as part of version 3.1.0.4.
If they haven’t already, affected users are advised to update these plugins to the latest versions to protect themselves from SQL injection attacks for the foreseeable future.
