CVE-2021-32790

Name of the Vulnerable Software and Affected Versions WooCommerce versions 3.3.0 through 3.3.5

Description An SQL injection issue affects WooCommerce sites running the plugin between versions 3.3.0 and 3.3.5. Malicious actors with admin access or API keys can exploit vulnerable endpoints such as "/wp-json/wc/v3/webhooks" and "/wp-json/wc/v2/webhooks". By carefully crafting the search parameter, information can be disclosed using timing and related attacks, although data will not be returned directly.

Recommendations For versions 3.3.0 through 3.3.5, upgrade to version 3.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints "/wp-json/wc/v3/webhooks" and "/wp-json/wc/v2/webhooks" to minimize the risk of exploitation. Avoid using the search parameter in the affected API endpoints until the issue is resolved.