WordPress Plugin Vulnerabilities

Sync WooCommerce Product feed to Google Shopping <= 1.2.4 - Admin+ SQLi

Description

The plugin uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard

Proof of Concept

Affects Plugins

Plugin icon
exportfeed-for-woocommerce-google-product-feed
No known fix

References

CVE
CVE-2021-25068

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
0xdecafbad
Submitter website
http://vuln.farm
Verified
Yes
WPVDB ID
32799efd-99dc-46dd-8648-e9eb872a0371

Timeline

Publicly Published
2022-03-07 (about 3 years ago)
Added
2022-03-07 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2025-05-22
Title
WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce <= 1.1.0 - Unauthenticated SQL Injection
Published
2017-08-05
Title
rk-responsive-contact-form 1.0 - Authenticated Blind SQL Injection
Published
2024-08-26
Title
Woocommerce Addon by Greenshift< 1.9.8 - Authenticated (Subscriber+) SQL Injection
Published
2021-01-18
Title
301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
Published
2024-11-21
Title
AI-Engine < 2.6.5 - Admin+ SQLi