- How to Become a Chief Information Officer: CIO Cheat Sheet
- 3 handy upgrades in MacOS 15.1 - especially if AI isn't your thing (like me)
- Your Android device is vulnerable to attack and Google's fix is imminent
- Microsoft's Copilot AI is coming to your Office apps - whether you like it or not
- How to track US election results on your iPhone, iPad or Apple Watch
Security Flaws Found in Popular WooCommerce Plugin
Multiple security vulnerabilities have been found in the WooCommerce Amazon Affiliates (WZone) plugin, according to Patchstack.
This premium WordPress plugin, developed by AA-Team and boasting over 35,000 sales, is designed to assist site owners and bloggers in monetizing their websites via the Amazon affiliate program.
The vulnerabilities identified are serious, impacting all tested versions, including version 14.0.10 and potentially those from version 14.0.20 onward.
One of the critical issues is an authenticated arbitrary option update vulnerability, assigned CVE-2024-33549. This flaw enables authenticated users to update arbitrary WP options, potentially leading to privilege escalation. This vulnerability, which remains unpatched, could allow attackers to gain higher-level access to the WordPress site, posing significant security risks.
Additionally, the Patchstack study found two types of SQL injection vulnerabilities, both unauthenticated and authenticated SQL injection, assigned CVE-2024-33544 and CVE-2024-33546, respectively.
These vulnerabilities allow both unauthenticated and authenticated users to inject malicious SQL queries into the WordPress database, leading to data breaches or manipulation. The severity of these flaws highlights the need for immediate action from site administrators using this plugin.
Patchstack has advised users to deactivate and delete the WZone plugin due to the absence of a patched version.
Read more on SQL security: How to Backup and Restore Database in SQL Server
Despite reported attempts from Patchstack to contact the vendor, no response has been received, prompting the company to publish the vulnerabilities and provide protective measures for their users.
“The most important thing when implementing an action or process is to apply permission or role and nonce validation. Permission or role check could be validated using current_user_can function and nonce value could be validated using wp_verify_nonce or check_ajax_referer,” reads the technical write-up.
“For the SQL query process, always do a safe escape and format for the user’s input before performing a query, and never give arbitrary access for users to update tables on the database.”
Image credit: T. Schneider / Shutterstock.com