Three well-known e-commerce plugins for WordPress (WP) installations that have been vulnerable to SQL injection attacks since December 2022 have been patched, preventing threat actors from deleting or altering websites for businesses.
The three impacted plugins were “Paid Memberships Pro,” a subscription management tool with over 100,000 active installations, “Easy Digital Downloads,” an e-commerce tool with over 50,000 active installations, and “Survey Marker,” a market research tool with over 3,000 active installations, according to Tenable security researcher Joshua Martinelle.
SQL injections are security flaws that let attackers modify databases by entering data into website forms or URLs. Attackers can insert scripts intended to change websites or gain unauthorised access to their backends using vulnerabilities that permit SQL injections.
SQL injections in WordPress
While all websites can be vulnerable to SQL injection during development, WordPress installations are a favourite target for threat actors looking for exploits because they are hosted on a well-known, centralised platform and stocked with many widely used plugins.
Fortunately, the plugin developers moved quickly to address the flaws after disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022. Fixes were released in a matter of weeks, or even days.
As early as December 21st, version 3.1.2 of the plugin, which included a fix for “Survey Maker,” was made available. A fix for “Paid Memberships Pro” was added to version 2.9.8 on the 27th, and “Easy Digital Downloads” was added to version 126.96.36.199 on the 5th.
Affected users are encouraged to update these plugins to the most recent versions if they haven’t already done so in order to safeguard themselves against SQL injection attacks for the foreseeable future.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover