Three popular e-commerce plugins for WordPress (WP) installs have been open to SQL injection attacks since December 2022, restored-Protecting companies from threat actors modifying or deleting their websites.
The three plug-ins affected, It was also discovered by security researcher Joshua Martinell (via PC), She was’Paid Pro MembershipActive subscription management tool on over 100,000 installs.Easy digital downloadsActive e-commerce tool with over 50,000 installs.scan tag(Market research tool with over 3,000 active installs)
SQL injections are vulnerabilities that allow attackers to inject data into website forms or URLs to modify databases. Attackers could use SQL injection vulnerabilities to inject scripts designed to modify websites, or gain unauthorized access to their backends.
WordPress SQL injection
While all websites can be vulnerable to SQL injection during development, installations of WordPress, hosted on a popular mainframe platform with many popular plug-ins, are a popular target for threat actors looking for exploits.
> Web Hosting vs WordPress Hosting: What’s the Difference?
> Millions of WordPress websites are scanned for potential attacks
> We’ve also listed the best WordPress security plugins right now
Fortunately, after the flaws were revealed and proof-of-concept (PoCs) exploits were released by Martinelle to WordPress on December 19, 2022, plugin developers moved quickly to address the flaws, with fixes being released in a matter of weeks, or even days.
A fix for “Survey Maker”, as part of version 3.1.2 of the plugin, was released on December 21. A Paid Pro Membership followed on the 27th, with a fix introduced in version 2.9.8, and Easy Digital Downloads followed on January 5, 2023 as part of version 18.104.22.168.
If you have not already done so, affected users are advised to update these plugins to the latest versions to protect themselves from SQL injection attacks for the foreseeable future.
- Here is our list of the best WordPress alternatives right now