CVE-2024-3067 in WooCommerce Google Feed Manager Plugin
Summary
by MITRE • 04/16/2024
The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be used by unauthenticated attackers to inject malicious web scripts.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2025
The vulnerability identified as CVE-2024-3067 affects the WooCommerce Google Feed Manager plugin for WordPress, representing a critical SQL injection flaw that compromises database security. This vulnerability exists in all plugin versions up to and including 2.4.2, making it a widespread concern for WordPress administrators who rely on this commerce-focused plugin for managing product feeds to Google Shopping. The flaw stems from inadequate input sanitization and improper SQL query preparation mechanisms within the plugin's codebase, creating a dangerous attack vector that can be exploited by malicious actors with elevated privileges.
The technical implementation of this vulnerability occurs through the 'id' parameter which is not properly escaped or validated before being incorporated into SQL queries. This parameter serves as the primary entry point for attackers to manipulate the underlying database operations, allowing them to inject malicious SQL commands that can be executed within the context of the existing database queries. The vulnerability specifically manifests when the plugin processes user-supplied input without adequate parameterization or escaping, enabling attackers to construct additional SQL statements that can be appended to the original queries. This type of flaw is classified as CWE-89, which represents SQL injection vulnerabilities where untrusted data is directly incorporated into SQL command strings without proper sanitization.
The operational impact of this vulnerability is severe and multifaceted, particularly for authenticated attackers with administrator-level access or higher. These attackers can leverage the SQL injection to extract sensitive information from the WordPress database, potentially accessing user credentials, customer data, payment information, and other confidential business data. The vulnerability also enables attackers to modify database contents, potentially corrupting critical commerce data or inserting malicious entries that could affect product listings, pricing, or inventory management. Additionally, the vulnerability can be exploited by unauthenticated attackers to inject malicious web scripts, expanding the attack surface beyond the typical administrative privileges required for database access. This dual nature of exploitation makes the vulnerability particularly dangerous as it can be leveraged by both internal and external threats.
The implications of this vulnerability extend beyond immediate data compromise, as it represents a fundamental failure in input validation and database query construction within the plugin's architecture. The attack surface is particularly concerning for e-commerce environments where WooCommerce Google Feed Manager is commonly deployed, as these systems typically contain sensitive customer information, transactional data, and business-critical product information. The vulnerability's persistence across multiple versions indicates a systemic code quality issue that requires immediate remediation. Organizations should prioritize patching this vulnerability as it provides attackers with direct database access capabilities that can lead to complete system compromise, data exfiltration, and potential regulatory compliance violations.
Mitigation strategies should focus on immediate patching of the WooCommerce Google Feed Manager plugin to the latest version that addresses this vulnerability, as well as implementing comprehensive input validation and parameterized query execution throughout the WordPress environment. System administrators should also consider implementing web application firewalls, monitoring database access patterns for unusual activity, and conducting regular security audits of installed plugins. The vulnerability highlights the importance of following secure coding practices including parameterized queries, input sanitization, and regular security testing of third-party WordPress plugins to prevent similar issues in the future. Organizations should also consider implementing principle of least privilege access controls and monitoring for unauthorized administrative activities that could indicate exploitation attempts.