TI WooCommerce Wishlist < 2.9.1 – Unauthenticated SQL Injection via lang parameters | CVE 2024-9156 | Plugin Vulnerabilities

Description

The plugin is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Proof of Concept

add or remove wishlist items and add the following extra params to the post request:

	
lang=%5C&lang_default=,0) OR t.language_code=sleep(10)--+


the plugin "sitepress-multilingual-cms" have to be present for this to work.

Affects Plugins

ti-woocommerce-wishlist

Fixed in 2.9.1

References

CVE

URL

https://wpscan.com/blog/unpatched-vulnerability-in-ti-woocommerce-wishlist-plugin/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

John Castro

Submitter

John Castro

Verified

Yes

WPVDB ID

e95974f9-1f68-4181-89b0-3559d61cfa93

Timeline

Publicly Published

2024-09-19 (about 1 year ago)

Added

2024-09-24 (about 1 year ago)

Last Updated

2024-10-23 (about 1 year ago)

Other

Published

Title

Published

2022-07-22

Title

Homepage Product Organizer for WooCommerce <= 1.1 - Subscriber+ SQLi

Published

2025-12-14

Title

Store Locator WordPress < 1.6.3 - Authenticated (Contributor+) SQL Injection

Published

2015-08-21

Title

Gallery Bank < 3.0.330 - Authenticated Blind SQL Injection

Published

2022-08-08

Title

JoomSport < 5.2.6 - Admin+ SQLi

Published

2014-08-01

Title

Event Registration <= 5.43 - SQL Injection