Product reviews, deals and the latest tech news

Thousands of WordPress websites may be in danger, so patch right away

Three well-known e-commerce plugins for WordPress (WP) installations that have been vulnerable to SQL injection attacks since December 2022 have been patched, preventing threat actors from deleting or altering websites for businesses.

The three impacted plugins were “Paid Memberships Pro,” a subscription management tool with over 100,000 active installations, “Easy Digital Downloads,” an e-commerce tool with over 50,000 active installations, and “Survey Marker,” a market research tool with over 3,000 active installations, according to Tenable security researcher Joshua Martinelle.

SQL injections are security flaws that let attackers modify databases by entering data into website forms or URLs. Attackers can insert scripts intended to change websites or gain unauthorised access to their backends using vulnerabilities that permit SQL injections.

SQL injections in WordPress

While all websites can be vulnerable to SQL injection during development, WordPress installations are a favourite target for threat actors looking for exploits because they are hosted on a well-known, centralised platform and stocked with many widely used plugins.

TechRadar Pro has documented several other WP plugins that provide live chat functionality being used in January 2023 alone to run JavaScript code that directs users to malicious websites over the course of three years. Another similar exploit targeted a plug-in that adds gift card functionality to online stores.

Fortunately, the plugin developers moved quickly to address the flaws after disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022. Fixes were released in a matter of weeks, or even days.

As early as December 21st, version 3.1.2 of the plugin, which included a fix for “Survey Maker,” was made available. A fix for “Paid Memberships Pro” was added to version 2.9.8 on the 27th, and “Easy Digital Downloads” was added to version on the 5th.

Affected users are encouraged to update these plugins to the most recent versions if they haven’t already done so in order to safeguard themselves against SQL injection attacks for the foreseeable future.