CVE-2021-32790 Information

Description

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access or API keys to the WooCommerce site can exploit vulnerable endpoints of /wp-json/wc/v3/webhooks /wp-json/wc/v2/webhooks and other webhook listing API. Read-only SQL queries can be executed using this exploit while data will not be returned by carefully crafting search parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/woocommerce/woocommerce/security/advisories/GHSA-7vx5-x39w-q24g https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

4.9