Vulnerability Details CVE-2021-32789
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.917
EPSS Ranking 99.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/woocommerce/woocommerce-gutenberg-products-block-ghsa-6hq4-w6wv-8wrp/pull/1
- https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrp
- https://hackerone.com/reports/1260787
- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
- https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-via-store-api/
- https://github.com/woocommerce/woocommerce-gutenberg-products-block-ghsa-6hq4-w6wv-8wrp/pull/1
- https://github.com/woocommerce/woocommerce-gutenberg-products-block/security/advisories/GHSA-6hq4-w6wv-8wrp
- https://hackerone.com/reports/1260787
- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
- https://wooengineering.wordpress.com/2021/07/14/incident-report-sql-injection-via-store-api/
Products affected by CVE-2021-32789
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.0
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.1
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.10
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.11
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.11.1
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.12
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.13
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.14
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.14.1
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.15
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.2
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.3
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.4
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.5
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.6
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.7
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.8
-
cpe:2.3:a:automattic:woocommerce_blocks:2.5.9
-
cpe:2.3:a:automattic:woocommerce_blocks:2.6.0
-
cpe:2.3:a:automattic:woocommerce_blocks:2.6.1
-
cpe:2.3:a:automattic:woocommerce_blocks:2.7.0
-
cpe:2.3:a:automattic:woocommerce_blocks:2.7.1
-
cpe:2.3:a:automattic:woocommerce_blocks:2.8.0
-
cpe:2.3:a:automattic:woocommerce_blocks:2.9.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.0.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.1.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.2.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.3.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.4.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.5.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.6.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.7.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.7.1
-
cpe:2.3:a:automattic:woocommerce_blocks:3.8.0
-
cpe:2.3:a:automattic:woocommerce_blocks:3.9.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.0.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.1.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.2.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.3.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.4.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.4.1
-
cpe:2.3:a:automattic:woocommerce_blocks:4.4.2
-
cpe:2.3:a:automattic:woocommerce_blocks:4.5.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.5.1
-
cpe:2.3:a:automattic:woocommerce_blocks:4.5.2
-
cpe:2.3:a:automattic:woocommerce_blocks:4.6.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.7.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.8.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.9.0
-
cpe:2.3:a:automattic:woocommerce_blocks:4.9.1
-
cpe:2.3:a:automattic:woocommerce_blocks:5.0.0
-
cpe:2.3:a:automattic:woocommerce_blocks:5.1.0
-
cpe:2.3:a:automattic:woocommerce_blocks:5.2.0
-
cpe:2.3:a:automattic:woocommerce_blocks:5.3.0
-
cpe:2.3:a:automattic:woocommerce_blocks:5.3.1
-
cpe:2.3:a:automattic:woocommerce_blocks:5.4.0
-
cpe:2.3:a:automattic:woocommerce_blocks:5.5.0