The WooCommerce Amazon Affiliates (WZone) plugin [2] [3], developed by AA-Team [1], is a popular premium plugin that enables affiliate integration between AWS and WooCommerce sites [1]. Recent security assessments by Patchstack have identified multiple vulnerabilities in the plugin, affecting all tested versions [3].

Description

These vulnerabilities, present in versions including 14.0.10 and potentially 14.0.20 and above [3], consist of an Authenticated Arbitrary Option Update [1] [3], Unauthenticated SQL Injection [1], and Authenticated SQL Injection [1]. The Authenticated Arbitrary Option Update vulnerability allows attackers to escalate privileges [3], while the SQL injection vulnerabilities enable users to inject malicious queries into the WordPress database [3]. Patchstack advises users to deactivate and delete the plugin as no patched version is currently available. Despite attempts to contact the vendor [3], no response has been received [3], prompting the publication of the vulnerabilities and recommended protective measures for users [3].

Conclusion

Given the absence of a patched version [3], users are strongly advised to take action to mitigate the risks posed by these vulnerabilities. The impact of these security flaws could be severe, and it is crucial for users to follow the recommended protective measures until a patched version becomes available. This incident highlights the importance of timely security updates and vendor responsiveness in ensuring the safety and integrity of WordPress plugins.

References

[1] https://patchstack.com/articles/multiple-vulnerabilities-in-woocommerce-amazon-affiliates-plugin/
[2] https://islainformatica.com/fallos-de-seguridad-encontrados-en-el-popular-complemento-woocommerce/
[3] https://www.infosecurity-magazine.com/news/security-flaws-found-woocommerce/