### [CVE-2021-32789](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32789)
![](https://img.shields.io/static/v1?label=Product&message=woocommerce-gutenberg-products-block&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%202.5.0%2C%20%3C%202.5.16%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brightgreen)

### Description

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/20142995/sectool
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/DonVorrin/CVE-2021-32789
- https://github.com/and0x00/CVE-2021-32789
- https://github.com/andnorack/CVE-2021-32789
- https://github.com/l0928h/kate
- https://github.com/nomi-sec/PoC-in-GitHub