Product Labels For Woocommerce < 1.5.11 – Admin+ SQLi | CVE 2024-10638

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

1. Login to the WordPress site with an administrator or manage_woocommerce role.
2. Navigate to the Badge creation page: https://example.com/wp-admin/admin.php?page=acoplw_badges_ui#/badge/add
3. While creating a new badge, intercept the outgoing POST request with a tool like Burp Suite or OWASP ZAP.
4. Modify the JSON payload within the intercepted POST request by setting the customPL[rules][rule][value] path to contain a SQL injection payload.
   Specifically, change:
   `customPL[rules][rule][value][""]`
   to
  `customPL[rules][rule][value]["select sleep(1)"]`
5. Resend the modified POST request to the server to create a new Badge containing the SQL injection payload.
6. After the badge is created, request its information by performing a GET request to the API endpoint: `https://example.com/wp-json/acoplw/v1/badges/{id}`
7. The server responds to the GET request triggering the execution of the malicious SQL query included in the badge configuration. In this case, the server response will be delayed.