"Security Flaws Found in Popular WooCommerce Plugin"

Security researchers at Patchstack have discovered multiple security vulnerabilities in the WooCommerce Amazon Affiliates (WZone) plugin.  This premium WordPress plugin, developed by AA-Team and boasting over 35,000 sales, is designed to assist site owners and bloggers in monetizing their websites via the Amazon affiliate program.  The researchers noted that the vulnerabilities identified are serious, impacting all tested versions, including version 14.0.10 and potentially those from version 14.0.20 onward.  One of the critical issues is an authenticated arbitrary option update vulnerability, assigned CVE-2024-33549.  The researchers noted that this flaw enables authenticated users to update arbitrary WP options, potentially leading to privilege escalation.  This vulnerability, which remains unpatched, could allow attackers to gain higher-level access to the WordPress site, posing significant security risks.  Additionally, the researchers found two types of SQL injection vulnerabilities, which are assigned CVE-2024-33544 and CVE-2024-33546.  The researchers noted that these vulnerabilities allow both unauthenticated and authenticated users to inject malicious SQL queries into the WordPress database, leading to data breaches or manipulation.  The severity of these flaws highlights the need for immediate action from site administrators using this plugin.  Patchstack has advised users to deactivate and delete the WZone plugin due to the absence of a patched version. 
 

Infosecurity Magazine reports: "Security Flaws Found in Popular WooCommerce Plugin"

Submitted by Adam Ekwall on