WooCommerce Wishlist add-on – SQLi Vulnerability

17 January 2018 - by James

On the 16th of January 2018 a vulnerability was found by Sucuri in a popular plugin for WordPress, YITH WooCommerce Wishlist. This plugin is installed on over half a million sites which is a massive attack surface. We advise all users to update this plugin ASAP with the utmost priority.

How can I make sure I am not exploitable?

First of all, if you are not using this plugin (YITH WooCommerce Wishlist), you are safe. If you do not require this plugin but have it installed we advise to uninstall this or update to the latest version.

If this plugin is required for your site to function correctly then please make sure your plugin is up to date (More importantly, is equal to or newer than Version 2.2.0)

As of version 2.2.0 this vulnerability has been patched. The vulnerable function no longer trusts the user inputted data.

What can this exploit do?

This exploit is an SQL injection vulnerability. SQL injection vulnerabilities can leak/change/add/remove any information from any connected database (depending on configuration).

It is important to update this plugin to keep your sites secure, to keep any database-stored data safe and to secure your core WordPress installation.

Don’t delay, upgrade today!