An SQL injection vulnerability has been discovered in the TI WooCommerce Wishlist plugin, affecting over 100,000 active WordPress installations. The flaw, identified a few weeks ago, has yet to be patched by the vendor, leading to public disclosure by WPScan analysts who discovered and reported it.
Unauthenticated users could exploit this vulnerability to potentially gain access to sensitive database information, stealing admin account credentials, and elevating their privileges to the point of complete website takeover.
The vulnerability, now tracked as CVE-2024-43917, was uncovered in the plugin’s wishlist management functionality, specifically in the code handling language translations. The issue arises from the improper use of the implode function with $lang and $lang_default variables, allowing attackers to inject additional SQL statements into database queries. This could lead to unauthorized access or manipulation of website data.
The TI WooCommerce Wishlist plugin, developed for WooCommerce-powered online stores, enables users to create and share product wishlists. As it serves a significant number of websites, the absence of a patch puts a large segment of WordPress users at risk. Unfortunately, despite the public disclosure of the issue, the vendor has not responded with a fix, and users are left vulnerable to potential exploitation.
WPScan published a bulletin about this issue earlier today, warning that a proof of concept will be made available on September 16, 2024. It is expected that active exploitation attempts will begin earlier, as the flaw is trivial to figure out how to leverage even without a public PoC. It should be noted, however, that WPScan mentions a particular condition required for exploitation, which was not defined.
The inability to directly reach the vendor prompted WPScan to notify WordPress.org, seeking further intervention to address the risk to website owners.
Given the lack of a fixing patch, users are strongly recommended to:
- Disable or uninstall the plugin until a fix is issued in a future update.
- Implement a custom Web Application Firewall (WAF) rule to block malicious queries targeting the vulnerable code.
- Monitor updates from WordPress.org and WPScan for further developments.
The TI WooCommerce Wishlist plugin might be a vital tool for many eCommerce sites, but until the vulnerability is addressed, users should prioritize safeguarding their websites from potentially catastrophic SQL injection attacks.
Octapharma Plasma Admits April Attack Resulted in Data Breach
Leave a Reply