Thousands of WordPress sites could be at risk, so patch now

By Scott Marlette Last updated Jan 16, 2023

Three popular ecommerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, have been patched, protecting businesses from threat actors modifying or deleting their websites.

The three affected plugins, as discovered by Tenable security researcher Joshua Martinelle (opens in new tab) (via BleepingComputer (opens in new tab)), were ‘Paid Memberships Pro (opens in new tab)’, a subscription management tool active on over 100,000 installations, ‘Easy Digital Downloads (opens in new tab)’, an e-commerce tool active on over 50,000 installations, and ‘Survey Marker (opens in new tab)’ (a market research tool with over 3,000 active installations)

SQL injections are security flaws that allow attackers to input data into website forms or URLs to modify databases. Attackers can use vulnerabilities that allow SQL injections to inject scripts designed to modify websites, or gain unauthorized access to their backends.

WordPress SQL injections

While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular, centralized platform stocked with many common plugins, are a popular target for threat actors looking for exploits.

In January 2023 alone, TechRadar Pro has reported on other WP plugins offering live chat functionality being leveraged, over the course of three years, to execute JavaScript code that redirects users to malicious websites, as well as another similar exploit targeting a plug-in adding gift card functionality to online stores.

Thankfully, after disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022, the developers of the plugins moved fast to address the flaws, with fixes being released in a matter of weeks, or even days.

A fix for ‘Survey Maker’, as part of version 3.1.2 of the plugin, was released as soon as the 21st of December. ‘Paid Memberships Pro’ followed on the 27th, with a fix rolled into version 2.9.8, and ‘Easy Digital Downloads’ followed on 5 January 2023 as part of version 3.1.0.4.

If they haven’t already, affected users are advised to update these plugins to the latest versions to protect themselves from SQL injection attacks for the foreseeable future.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.