A critical SQL Injection vulnerability has been identified in the TI WooCommerce Wishlist Plugin. This vulnerability could allow an attacker to execute arbitrary SQL queries on the affected website’s database, which could lead to data theft, unauthorized access, and other malicious activity.

The SQL Injection vulnerability occurs in the wishlist-functions.php file. The SQL Injection vulnerability was identified and responsibly reported by WordFence. The vulnerability allows an attacker to inject malicious SQL queries into the website’s database by sending a specially crafted request. The malicious SQL queries can then be executed by the website’s database, which could lead to the impact described above.

Severity:

With a CVSS 3.1 score of 9.3, the TI WooCommerce Wishlist Plugin’s SQL Injection vulnerability is classified as critical. This means that the vulnerability is very likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

If your website is running any version of the TI WooCommerce Wishlist Plugin prior to 2.7.4, it is susceptible to this critical vulnerability.

Impact:

An attacker who successfully exploits this vulnerability could gain access to sensitive information stored in the affected website’s database, such as user login credentials, credit card numbers, and personal data. This information could then be used to commit identity theft, financial fraud, or other crimes.

The attacker could also use the vulnerability to gain unauthorized access to the affected website’s administrative dashboard, which would allow them to make changes to the website’s content or configuration. This could lead to the website being defaced, taken offline, or used to distribute malware.

Recommendation:

To enhance WordPress security and protect websites from this critical vulnerability, website owners are strongly advised to take the following actions:

  1. Update to the Latest Version: Update the WordPress TI WooCommerce Wishlist plugin to version 2.7.4 or higher without delay. The latest version includes essential patches to eliminate the SQL Injection vulnerability and bolster overall plugin security.
  2. Regular Security Audits: Conduct periodic security audits of the WordPress website to identify and address potential vulnerabilities proactively.
  3. Stay Informed: Continuously monitor official updates and announcements regarding the TI WooCommerce Wishlist Plugin to stay informed about any potential fixes or patches.
  4. Consider Security Assistance: Consult with WordPress security experts or developers to assess the potential impact website and implement additional security measures if necessary.