CVE-2023-35879 – This SQL injection vulnerability in WooCommerce... (How to Fix)

Q: What is the severity of CVE-2023-35879?

CVE-2023-35879 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in WooCommerce Product Vendors allows attackers to execute arbitrary SQL commands on affected WordPress sites. It affects all versions up to 2.1.78, potentially compromising the database and site integrity. WordPress administrators using this plugin are at risk.

📋 TL;DR

This SQL injection vulnerability in WooCommerce Product Vendors allows attackers to execute arbitrary SQL commands on affected WordPress sites. It affects all versions up to 2.1.78, potentially compromising the database and site integrity. WordPress administrators using this plugin are at risk.

💻 Affected Systems

Products:

WooCommerce Product Vendors WordPress plugin

Versions: All versions up to and including 2.1.78

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WooCommerce Product Vendors plugin to be installed and active on WordPress site.

📦 What is this software?

Product Vendors by Woo

View all CVEs affecting Product Vendors →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site takeover, and potential server compromise via SQL command execution.

🟠

Likely Case

Unauthorized data access, modification of product/vendor information, and potential administrative access to the WordPress site.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires shop manager or similar authenticated access. SQL injection techniques are well-documented and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.79 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-product-vendors/wordpress-woocommerce-product-vendors-plugin-2-1-78-shop-manager-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WooCommerce Product Vendors. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.1.79+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate woocommerce-product-vendors

Web Application Firewall Rules

all

Block SQL injection patterns targeting the plugin endpoints

# Configure WAF to block SQL patterns in POST/GET parameters

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > WooCommerce Product Vendors version. If version is 2.1.78 or lower, site is vulnerable.

Check Version:

wp plugin get woocommerce-product-vendors --field=version

Verify Fix Applied:

Verify plugin version is 2.1.79 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from shop manager accounts
Unexpected database schema changes

Network Indicators:

POST requests with SQL patterns to vendor-related endpoints
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="*vendor*" OR uri="*product-vendor*") AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*")

📊 Metadata

CVE ID: CVE-2023-35879

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 31, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35879, you might also want to check these: