Multiple security vulnerabilities have been found in the WooCommerce Amazon Affiliates (WZone) plugin, according to Patchstack.
This premium WordPress plugin, developed by AA-Team and boasting over 35,000 sales, is designed to assist site owners and bloggers in monetizing their websites via the Amazon affiliate program.
The vulnerabilities identified are serious, impacting all tested versions, including version 14.0.10 and potentially those from version 14.0.20 onward.
One of the critical issues is an authenticated arbitrary option update vulnerability, assigned CVE-2024-33549. This flaw enables authenticated users to update arbitrary WP options, potentially leading to privilege escalation. This vulnerability, which remains unpatched, could allow attackers to gain higher-level access to the WordPress site, posing significant security risks.
Additionally, the Patchstack study found two types of SQL injection vulnerabilities, both unauthenticated and authenticated SQL injection, assigned CVE-2024-33544 and CVE-2024-33546, respectively.
These vulnerabilities allow both unauthenticated and authenticated users to inject malicious SQL queries into the WordPress database, leading to data breaches or manipulation. The severity of these flaws highlights the need for immediate action from site administrators using this plugin.
Patchstack has advised users to deactivate and delete the WZone plugin due to the absence of a patched version.
Read more on SQL security: How to Backup and Restore Database in SQL Server
Despite reported attempts from Patchstack to contact the vendor, no response has been received, prompting the company to publish the vulnerabilities and provide protective measures for their users.
“The most important thing when implementing an action or process is to apply permission or role and nonce validation. Permission or role check could be validated using current_user_can function and nonce value could be validated using wp_verify_nonce or check_ajax_referer,” reads the technical write-up.
“For the SQL query process, always do a safe escape and format for the user’s input before performing a query, and never give arbitrary access for users to update tables on the database.”
Image credit: T. Schneider / Shutterstock.com