SQL Injection Warning – add to cart parameter

  • Resolved toxoplasmaarts

    (@toxoplasmaarts)


    3 years, 6 months ago

    Hi all- SiteLock warned us today of a vulnerability for SQL injection. The “add to cart” GET parameter is not being sanitized. The scan gave only two URLs in question, and they are both for a product on our site with /?add-to-cart=15031 and /?add-to-cart=15033 added to the product slug.

    I figured this would be a WooCommerce-side issue and wanted to reach out. From what I understand in reading other posts, WooCommerce already has a system in place that will not allow any strings of GET without a number in the string. However, any suggestions here? I’ve also sent in a support ticket to our main WooCommerce support with a full system report, but from what I read on the report, there’s nothing else amiss. All our plugins and such are up to date. I did just update WooCommerce recently and wanted to see if anyone else had received this warning since version 5.3.0.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support abwaita a11n

    (@abwaita)

    Hi @toxoplasmaarts,

    There hasn’t been much activity on this thread, so I wanted to add a few more options for you to search for insights from.

    You can visit the WooCommerce Facebook group or the #developers channel of the WooCommerce Community Slack. You’ll find a great community of open-source developers for WooCommerce, and many of our developers hang out there, as well.

    I hope this helps.

    Thanks.

    laceyrod

    (@laceyrod)

    Automattic Happiness Engineer

    Hi there,

    Since we haven’t heard back from you, and this thread has been inactive for a bit, I’m going to mark it as Resolved now for the overall health of the forums. Please feel free to open a new one if you have any further questions.

    Cheers!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘SQL Injection Warning – add to cart parameter’ is closed to new replies.