Unpatched critical vulnerabilities WZone WooCommerce Amazon Affiliates
Take action: If you are using WZone WooCommerce Amazon Affiliates plugin, time to find another plugin. If the devs can't be bothered to fix these critical issues, you and your business are not safe. Move on, fast.
Learn More
The WooCommerce Amazon Affiliates (WZone) plugin has been found to have multiple serious security vulnerabilities, according to Patchstack.
This plugin aids site owners and bloggers in monetizing their websites through the Amazon affiliate program. The vulnerabilities affect all tested versions, including version 14.0.10 and possibly those from version 14.0.20 onward.
The vulnerabilities are:
- CVE-2024-33549 (CVSS score 8.8): Authenticated arbitrary option update vulnerability. This flaw allows authenticated users to update arbitrary WordPress options, potentially leading to privilege escalation.
- CVE-2024-33544 (CVSS score 9.3): Unauthenticated SQL injection vulnerability. This flaw allows unauthenticated actor to inject malicious SQL queries into the WordPress database, potentially leading to data breaches or manipulation.
- CVE-2024-33546 (CVSS score 9.6): Authenticated SQL injection vulnerability. This flaw allows authenticated user to inject malicious SQL queries into the WordPress database, potentially leading to data breaches or manipulation.
Despite Patchstack's attempts to contact the vendor, no response has been received, prompting the company to publish the vulnerabilities and recommend protective measures. Due to the lack of a patched version, Patchstack advises users to deactivate and delete the WZone plugin.
Update - as of 17th of July 2024, a proof of concept (PoC) for the critical SQL injection vulnerability CVE-2024-33544 has been released. Users should remove this plugin ASAP since it's not maintained.
