CVE-2021-32790: 
WordPress vulnerability analysis and mitigation

An SQL injection vulnerability was discovered in WooCommerce affecting versions 3.3.0 through 5.5. The vulnerability was responsibly disclosed on July 13, 2021, by security researcher Josh via the HackerOne security program (GitHub Advisory, WooCommerce Blog).

The vulnerability allowed malicious actors with admin access or API keys to exploit vulnerable endpoints including /wp-json/wc/v3/webhooks, /wp-json/wc/v2/webhooks and other webhook listing APIs. While data would not be directly returned, attackers could execute read-only SQL queries and extract information through timing and related attacks by carefully crafting the search parameter (GitHub Advisory, WPScan).

If exploited, the vulnerability could expose sensitive information including order details, customer data, and administrative information stored in the WooCommerce database. While passwords were protected by WordPress's salted hash system, other sensitive data like API keys and payment gateway credentials could be compromised (WooCommerce Blog).

The vulnerability was patched in versions 5.5.1, 5.4.2, 5.3.1, and other corresponding security releases for each affected branch. Users were advised to update to the latest patched version, change admin passwords (especially if reused across sites), and rotate any payment gateway and WooCommerce API keys (WooCommerce Blog).