SQL Injection Affecting woocommerce/woocommerce-blocks package, versions >=5.5.0, <5.5.1 >=5.4.0, <5.4.1 >=5.3.0, <5.3.2 >=5.2.0, <5.2.1 >=5.1.0, <5.1.1 >=5.0.0, <5.0.1 >=4.9.0, <4.9.2 >=4.8.0, <4.8.1 >=4.7.0, <4.7.1 >=4.6.0, <4.6.1 >=4.5.0, <4.5.3 >=4.4.0, <4.4.3 >=4.3.0, <4.3.1 >=4.2.0, <4.2.1 >=4.1.0, <4.1.1 >=4.0.0, <4.0.1 >=3.9.0, <3.9.1 >=3.8.0, <3.8.1 >=3.7.0, <3.7.2 >=3.6.0, <3.6.1 >=3.5.0, <3.5.1 >=3.4.0, <3.4.1 >=3.3.0, <3.3.1 >=3.2.0, <3.2.1 >=3.1.0, <3.1.1 >=3.0.0, <3.0.1 >=2.9.0, <2.9.1 >=2.8.0, <2.8.1 >=2.7.0, <2.7.2 >=2.6.0, <2.6.2 <2.5.16
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-WOOCOMMERCEWOOCOMMERCEBLOCKS-1533591
- published 27 Jul 2021
- disclosed 27 Jul 2021
- credit Unknown
Introduced: 27 Jul 2021
CVE-2021-32789 Open this link in a new tabHow to fix?
Upgrade woocommerce/woocommerce-blocks
to version 5.5.1, 5.4.1, 5.3.2, 5.2.1, 5.1.1, 5.0.1, 4.9.2, 4.8.1, 4.7.1, 4.6.1, 4.5.3, 4.4.3, 4.3.1, 4.2.1, 4.1.1, 4.0.1, 3.9.1, 3.8.1, 3.7.2, 3.6.1, 3.5.1, 3.4.1, 3.3.1, 3.2.1, 3.1.1, 3.0.1, 2.9.1, 2.8.1, 2.7.2, 2.6.2, 2.5.16 or higher.
Overview
woocommerce/woocommerce-blocks is a WooCommerce blocks for the Gutenberg editor.
Affected versions of this package are vulnerable to SQL Injection via a carefully crafted URL, an exploit can be executed against the wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]
endpoint that allows the execution of a read only sql query.