Unpatched Vulnerability in TI WooCommerce Wishlist Plugin

A Few weeks ago an Sql Injection was discovered in the TI WooCommerce Wishlist plugin. After checking closer we found another entry point, affecting over 100,000 active installs. Despite the severity of this issue, the vendor have not yet provided a patch, leading to public disclosure. The vulnerability can be exploited by unauthenticated users, allowing for potential SQL injection attacks.

Fixed VersionNot fixed
CVE-IDCVE-2024-9156
WPVDB-IDe95974f9-1f68-4181-89b0-3559d61cfa93
CVSSv3.17.5

Exploring the Vulnerability

The issue was identified in the plugin’s wishlist management functionalities. Affected code:

if ($lang) {
    if ($lang_default) {
        $languages = sprintf("'%s'", implode("', '", array($lang, $lang_default)));
    } else {
        $languages = "'".$lang."'";
    }
 
[...]
 
    $sql .= "LEFT JOIN {$table_translations} tr ON
    {$table}.product_id = tr.element_id AND tr.element_type = 'post_product'
LEFT JOIN {$table_translations} tr2 ON
    {$table}.variation_id != 0 AND {$table}.variation_id = tr2.element_id AND tr2.element_type = 'post_product_variation'
LEFT JOIN {$table_translations} t ON
    tr.trid = t.trid AND t.element_type = 'post_product' AND t.language_code IN ({$languages})
LEFT JOIN {$table_translations} t2 ON
    {$table}.variation_id != 0 AND tr2.trid = t2.trid AND t2.element_type = 'post_product_variation' AND t2.language_code IN ({$languages})
JOIN {$table_languages} l ON
    (
        t.language_code = l.code OR t2.language_code = l.code
    ) AND l.active = 1";
}
 
[...]
 
$results = $wpdb->get_results($sql, ARRAY_A);

After the use of implode with the parameters $lang and $lang_default a condition is created that may allow attackers to add extra SQL statements to the query. A proof of concept will be made available on the WPScan entry for this issue on September 16th, 2024.

Note: The exploit requires a particular condition for full execution, but still, the vulnerability poses a significant threat.

Why It Matters

Since no patch is available, this creates an unfortunate condition for users. Attackers can potentially gain access to the website’s database.

Current Status

  • It’s strongly recommended to either disable the plugin or apply a custom Web Application Firewall (WAF) rule to mitigate the risk.
  • We contacted WordPress .org since it was not possible to directly contact the vendor.

Posted by

Unknown's avatar

John Castro

Get News and Tips From WPScan