A SQL Injection vulnerability has been identified in the WordPress Woocommerce Support System Plugin. This vulnerability could allow an attacker to inject malicious SQL code into the database, potentially compromising the security of the website and its visitors.
Credit for discovering and responsibly reporting this vulnerability goes to Mika.
The vulnerability is a SQL Injection vulnerability that occurs in the tickets.php file. The vulnerability allows an attacker to inject malicious SQL code into the database by specifying a specially crafted URL.
The vulnerability has a CVSS 3.1 score of 7.6, which is considered to be high.
The vulnerability affects all versions of the Woocommerce Support System Plugin prior to 1.1.1.
An attacker who successfully exploits this vulnerability could:
- Directly interact with the database, including but not limited to:
- Stealing information
- Modifying data
- Creating or deleting tables
This could lead to a variety of security risks, such as:
- Data theft
- Website defacement
- Denial of service attacks
Users of the Woocommerce Support System Plugin are strongly advised to uninstall the plugin until a patched version is available.