Technology

Thousands of WordPress sites could be at risk, so patch now

January 16, 2023

Three popular e-commerce plugins for WordPress (WP) installations open to SQL injection attacks since December 2022 have been identified patchedto protect companies from attackers modifying or deleting their websites.

The three affected plugins, as discovered by Tenable security researcher Joshua Martinelle (opens in new tab) (about Beeping computer (opens in new tab)), was ‘Paid Memberships Pro (opens in new tab)‘, a subscription management tool active in over 100,000 installations, ‘Easy digital downloads (opens in new tab)‘, an e-commerce tool active on over 50,000 installations, and ‘Poll Marker (opens in new tab)‘ (a market research tool with over 3,000 active installs)

SQL injections are vulnerabilities that allow attackers to enter data into website forms or URLs to modify databases. Attackers can exploit vulnerabilities that allow SQL injections to inject scripts designed to modify websites or gain unauthorized access to their backends.

WordPress SQL injections

While all websites can be vulnerable to SQL injection during development, WordPress installations hosted on a popular, centralized platform with many popular plugins are a popular target for threat actors looking for exploits.

In January 2023 alone Tech Radar Pro has reported offer on other WP plugins live chat Functionality used over the course of three years to execute JavaScript code that redirects users to malicious websites, as well as another similar exploit Targeting a plugin that adds gift card functionality online stores.

Fortunately, after Martinelle disclosed the bugs and released proof-of-concept exploits (PoCs) for WordPress on December 19, 2022, the developers of the plugins acted quickly to fix the bugs, with fixes being released within weeks , or even days.

A fix for “Survey Maker” was already released on December 21st as part of version 3.1.2 of the plugin. Paid Memberships Pro followed on the 27th, with a fix in version 2.9.8, and Easy Digital Downloads followed on January 5th, 2023 as part of version 3.1.0.4.

If not already done, affected users are advised to update these plugins to the latest versions to protect against SQL injection attacks for the foreseeable future.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar