平台
wordpress
组件
woocommerce-openpos
修复版本
6.4.5
CVE-2024-37933 describes a SQL Injection vulnerability within the Woocommerce OpenPos plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire system. The vulnerability affects versions of Woocommerce OpenPos up to and including 6.4.4, with a fix released in version 6.4.5.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data (customer information, order details, payment information), modify data, or even execute arbitrary commands on the database server. The blast radius extends to any data stored within the Woocommerce OpenPos database, potentially impacting customer trust and leading to regulatory fines. While no specific real-world exploitation has been publicly reported yet, the CRITICAL CVSS score highlights the significant risk posed by this vulnerability, particularly given the widespread use of Woocommerce and its plugins.
CVE-2024-37933 was publicly disclosed on 2024-07-12. Its CRITICAL CVSS score suggests a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of SQL injection exploitation means a PoC is likely to emerge. It is not currently listed on CISA KEV.
This vulnerability primarily affects e-commerce businesses using Woocommerce and the OpenPos plugin. Shared hosting environments are particularly at risk, as vulnerabilities in one plugin can potentially impact multiple websites on the same server. Organizations with legacy Woocommerce configurations or those who have not regularly updated their plugins are also at heightened risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/woocommerce-openpos/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/woocommerce-openpos/ | grep SQL• wordpress / composer / npm:
wp plugin list --status=active | grep woocommerce-openposdisclosure
漏洞利用状态
EPSS
0.35% (58% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade Woocommerce OpenPos to version 6.4.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL queries targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attacks. Monitor database logs for unusual activity or SQL errors that could indicate an attempted exploitation. After upgrade, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Actualice el plugin Woocommerce OpenPos a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 6.4.4. Consulte la documentación del plugin para obtener instrucciones detalladas sobre cómo realizar la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-37933 is a critical SQL Injection vulnerability affecting Woocommerce OpenPos versions up to 6.4.4, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using Woocommerce OpenPos version 6.4.4 or earlier. Check your plugin version and upgrade immediately.
Upgrade Woocommerce OpenPos to version 6.4.5 or later. Consider implementing a WAF as an interim measure if immediate upgrade is not possible.
While no active exploitation has been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Woocommerce security advisory for details and updates: [https://woocommerce.com/security/](https://woocommerce.com/security/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。