CVE-2021-32789
high-risk
Published 2021-07-26
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Do I need to act?
!
91.4% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (10)
Permissions Required
https://hackerone.com/reports/1260787
Permissions Required
https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-vi...
Permissions Required
https://hackerone.com/reports/1260787
Permissions Required
https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-vi...
51
/ 100
high-risk
Severity
26/34 · High
Exploitability
20/34 · Moderate
Exposure
5/34 · Minimal