Three popular e-commerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, have been patchedprotecting businesses from attackers modifying or deleting their websites.
The three affected plugins as Tenable security researcher Joshua Martinelle discovered (opens in a new tab) (by Beeping Computer (opens in a new tab)), werePaid Pro Membership (opens in a new tab)‘, a subscription management tool with over 100,000 installations, ‘Easy digital download (opens in a new tab)‘, an e-commerce tool with over 50,000 installs, and ‘Survey marker (opens in a new tab)‘ (market research tool with over 3,000 active installs)
SQL injections are vulnerabilities that allow attackers to enter data into web page forms or URLs to modify databases. Attackers can exploit vulnerabilities that allow SQL injection to inject scripts designed to modify websites or gain unauthorized access to their backends.
SQL injections in wordpress
While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular centralized platform loaded with many popular plugins, are a popular target for cybercriminals looking for exploits.
Only in January 2023 TechRadar Pro has reported in other WP plugin offerings live chat using the functionality for three years to execute JavaScript code that redirects users to malicious websites, and also another similar prank targeting a plugin that adds a gift card feature online stores.
Fortunately, after the bugs were revealed and the proof-of-concept (PoC) exploits by Martinelle were published in WordPress on December 19, 2022, the plugin developers quickly addressed the bugs, and fixes were released within weeks or even days.
A fix for “Survey Maker”, part of version 3.1.2 of the plugin, was released on December 21. “Paid Memberships Pro” followed on January 27, patched to version 2.9.8, and “Easy Digital Downloads” followed on January 5, 2023 as part of version 3.1.0.4.
If they have not already done so, affected users are advised to update these plugins to the latest versions to protect against SQL injection attacks in the foreseeable future.
