Three popular e-commerce plugins for WordPress (WP) installations that are open to SQL injection attacks from December 2022 have been hacked repairprotecting businesses from threat actors modifying or removing their websites.
The three affected plugins, Discovered by Tenable Security Researcher Joshua Martinelle (opens in a new tab) (pass Beep computer (opens in a new tab)), yes ‘Paid Membership Pro (opens in a new tab)‘, a subscription management tool with over 100,000 installs,’Easy Digital Downloads (opens in a new tab)‘, an active eCommerce tool with over 50,000 installs, and ‘measurement mark (opens in a new tab)‘ (market research tool with 3,000+ active installs)
SQL injection is a security hole that allows an attacker to enter data into a website form or URL to modify a database. An attacker could use a vulnerability that allows SQL injection to inject scripts designed to modify a website, or gain unauthorized access to its backend.
WordPress SQL Injection
While all websites are vulnerable to SQL injection attacks during development, WordPress installations hosted on popular centralized platforms with many popular plugins are a popular target for threat actors looking to exploit the vulnerability.
Thankfully, after Martinelle disclosed the vulnerability and released a proof-of-concept exploit (PoC) to WordPress on December 19, 2022, the plugin’s developers acted quickly to address the vulnerability and released a fix within weeks, or even hours. sky.
A fix for “Survey Maker” was released on December 21st as part of plugin version 3.1.2. “Paid Membership Pro” followed on the 27th with fixes in version 2.9.8, and “Easy Digital Downloads” followed on January 5, 2023 as part of version 22.214.171.124.
If they haven’t already, affected users are advised to update these plugins to the latest versions to protect themselves against SQL injection attacks for the foreseeable future.