Vulnerability DatabaseCVE-2021-32789

CVE-2021-32789:
WordPress vulnerability analysis and mitigation

Overview

An SQL injection vulnerability (CVE-2021-32789) was discovered in WooCommerce and its WooCommerce Blocks feature plugin on July 13, 2021. The vulnerability affected all WooCommerce sites running versions between 3.3 and 5.5, as well as the WooCommerce Blocks feature plugin between versions 2.5.0 and prior to 5.5.1. The issue was responsibly disclosed by security researcher Josh via the HackerOne security program (WooCommerce Blog, WPScan).

Technical details

The vulnerability allowed for unauthenticated SQL injection attacks through the wc/store/products/collection-data endpoint, specifically via the calculateattributecounts[][taxonomy] parameter. The vulnerability received a CVSS score of 9.8 (Critical), indicating its severe nature. The issue allowed execution of read-only SQL queries that could potentially expose sensitive information from the database (GitHub Advisory).

Impact

If exploited, the vulnerability could allow attackers to access sensitive information stored in the WordPress database, including order details, customer information, and administrative data. While passwords were protected by WordPress's salted hash system, making them difficult to crack, other sensitive information such as API keys and payment gateway credentials could have been exposed (WooCommerce Blog).

Mitigation and workarounds

The vulnerability was patched in multiple versions, including WooCommerce 5.5.1 and various backported versions. Automatic updates were deployed to vulnerable stores. Recommended mitigation steps included updating to the latest patched version, changing administrator passwords, and rotating any payment gateway and WooCommerce API keys. For WooCommerce Blocks, users were advised to update to version 5.5.1 or higher (WooCommerce Blog).

Community reactions

WooCommerce immediately responded to the disclosure by conducting a thorough investigation and deploying automatic updates to affected stores. The company maintained transparent communication through their blog and social media channels, including Twitter announcements to alert users about the critical nature of the update (WPScan).

Additional resources

Source: This report was generated using AI

Related WordPress vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14030	MEDIUM	6.4	WordPress	ai-feeds	No	Yes	Dec 12, 2025
CVE-2025-12965	MEDIUM	6.4	WordPress	magical-posts-display	No	Yes	Dec 12, 2025
CVE-2025-14442	MEDIUM	5.3	WordPress	secure-copy-content-protection	No	Yes	Dec 12, 2025
CVE-2025-14065	MEDIUM	5.3	WordPress	simple-bike-rental	No	Yes	Dec 12, 2025
CVE-2025-14159	MEDIUM	4.3	WordPress	secure-copy-content-protection	No	Yes	Dec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-32789: WordPress vulnerability analysis and mitigation